This talk will present an assortment of security topics related to Open Source Cloud Computing technologies. Topics will include an overview of the most significant security flaws discovered over the last year in popular cloud platforms, the generic foundations of advance persistent threats, and some of the recent countermeasures of encryption, key management, and platform validation being introduced into OpenStack and Hadoop. A demo of Trusted Compute Pools will also be given and an explanation of what types of advanced threats it protects against will be provided.
It would seem that, despite the exponential growth in security products, security services, security companies, security certifications, and general interest in the security topic; we are still bombarded with a constant parade of security vulnerability disclosures on a seemingly daily basis. Knowing that complete protection from threats and vulnerabilities at the front end of the infrastructure is impossible and that advanced threats will find their way past our defenses, efforts to protect the data and the ‘keys to the castle’ being the last line of defense are even more critical.
The hardware enabling ‘trusted computing’ is referred to as a Trusted Platform Module (TPM), and is designed as a commodity chip that is integrated into motherboards, as well as appliances such as network switches, firewalls, and embedded devices. The TPM provides features that are useful in providing assurances about the state of a platform and protecting sensitive information. Essentially, the chip can be used to generate, store, and protect encryption keys. It also provides a mechanism to store information about the state of a platform through a traceable, cryptographic mechanism, which can be securely attested to a remote verifier. TPMs have been around for a while but have had a slow uptake in actual use until recently due to initial privacy concerns that have been mostly overcome. Many cloud deployments include hardware with a TPM, but it is rarely used. Championed by Intel and others, support for using the TPM and related Intel TXT to provide remote attestation has been included in OpenStack in the form of Trusted Compute Pools. This feature can detect systems within the cloud that have booted untrusted code and block guests from executing on them. This will be demo’ed on a live system. Of course, this boot time detection of untrusted code is beneficial, there are other ways a TPM could be utilized to better protect user or application data via strong and cheap protection of keys. Work being done in OpenStack to utilize the TPM for key protection will also be discussed. In addition, when configuring bare metal systems, there are many other ways to use the TPM such as with the IMA/EVM subsystem or by using the TPM to protect keys used in disk encryption, applications, or user data. Some of the common tools for using TPMs on bare metal systems will be enumerated. Lastly, although not necessarily a ‘cloud’ platform, Hadoop is a mainstay in the related field of big data. Until recently, the lack of block level encryption has been an issue for organizations looking to protect Hadoop data. We will discuss the architecture of the Hadoop encryption framework and considerations for key protection.
Dr. Jason C. Cohen is a senior technology consultant at Hewlett Packard, with over 13 years of industry experience in the area of enterprise information technology for the US public sector with a focus on security solutions. He has extensive expertise in IT architecture, security, secure application design, distributed systems, Trusted Computing, and secure cross-domain solutions. Jason has several published research articles related to the application of Trusted Computing technology in distributed systems to combat advanced threats. Jason holds a Doctor of Science in Applied Information Technology from Towson University and holds a master’s degree from Towson University in applied information technology and a bachelor’s degree in computer science from Goucher College. Jason is an active participant in IEEE and ACM, and has presented at several industry/academic conferences.
Geelong is Victoria's second largest city, located on Corio Bay, and within a short drive from popular beach-front communities on the Bellarine Peninsula as well as being the gateway to the famous Great Ocean Road
linux.conf.au is widely regarded by delegates as one of the best community run Linux conferences worldwide and is the largest Linux and Open Source Software conference in the Asia-Pacific.
Our Sponsors help make linux.conf.au become the awesome conference everyone comes back to year after year. Come see who's on board this year, or find out how to get in contact with us