Openstack Security Overview - May 2012
•Download as PPTX, PDF•
1 like•558 views
Dome9 Co-founder & CEO, Zohar Alon, presents on OpenStack cloud security citing HP Cloud, Quantum, and his own, Dome9.
Recommended
More Related Content
Recently uploaded
Recently uploaded (20)
Featured
Featured (20)
Openstack Security Overview - May 2012
- 1. Israel May 2012 OpenStack Security Overview Israel May 2012 2012 and beyond Zohar Alon Co-Founder & CEO Dome9 Security zohar@dome9.com @zoharalon Dome9 Security Ltd. – http://www.dome9.com
- 2. Dome9 Quick Background Israel May 2012 • Dome9’s Mission Manage All Cloud Security Stacks Dome9 Founded: 2010 – Operating System, First GA: Sept ‘11 Virtual Machine Backing: Opus Capital and/or any V*LAN Policy Employees: 10 – Firewall, VPN, IDS, Auditing & Logging – Technology & Service Provider Agnostic • Pat. Pending Security Automation & SSH Strengthening • Highly Affordable SaaS offering – Users installs and manages – Freemium to 4₵/server/hour
- 3. OpenStack Security Considerations Israel May 2012 • What are you building? – Public or Private • Access Credentials? – root::alpine is good • Key Pairs – Make sure we all have a copy of all .pems in our Gmails/DBoxes • Security Groups – Any, Any, Any, Accept – It just works! • Data Sensitivity Constrains – Nothing is encrypted, unless you work hard; HTTPS is almost free • Inside the VMs – Its not my responsibility. Is it? • Other Places to avoid consider: – API security, Image Safety, Backups, Logs
- 4. HP Cloud – OpenStack Public IaaS Israel May 2012 • Out-of-the-Box OpenStack as a public IaaS – Diablo based; Nova and Swift; in public beta now – 3 Availability Zones (≠ AWS AZ) – EC2 API compatible listener – Flat network; Floating (Elastic)/Temp Public/Private IP • Security – EC2 Style Security Groups • Inbound, port ranges, SG2SG within same AZ – Instance Authentication through SSH key-pairs • No import or sharing between AZs – Object Storage (Swift): Public or Private setting • No Data-at-rest Encryption
- 5. HP Cloud Security Group Israel May 2012
- 6. Quantum: Virtualizing the Network Israel May 2012 • Tenant Facing API for network management – Enables rich multi-level network topologies – Decouples “Logical” network from “Physical” constrains • Abstract Advanced Network Elements (soon…) – Firewalls, VPNs, LBs, NAT, DHCP – We’ll manage them as they come, but be patient • Quantum Security Groups: More robust! – Per VIF vs. Per VM – Inbound and Outbound – Flexibility could lead to complexity
- 7. Quantum Physical vs. Virtual + Firewalling Israel May 2012
- 8. Dome9 for OpenStack Announcing Private Cloud Connector Israel May 2012 • Define, Manage and automate OpenStack SGs • Leverage Host- based Policies where required • Share your Objects: Networks, Serve rs and Users across Clouds
- 9. Dome9 Central Rule Your Cloud Security Policy Israel May 2012
- 10. Credits and Thanks Israel May 2012 • Salvatore Orlando, Citrix @taturiello – http://www.infoq.com/presentations/Quantum-Virtual-Networks-for- OpenStack • Dave Lapsley, nicira @davlaps – http://slidesha.re/HQvDTk • Joshua McKenty, Piston Cloud @jmckenty – http://www.slideshare.net/joshuamckenty/open-stack-security-emea- launch • Thank you! Zohar Alon zohar@dome9.com @zoharalon • PS don’t forget to ask your DevOps to sharpen their networking skills!