• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Securing open stack for compliance
 

Securing open stack for compliance

on

  • 1,034 views

Slides from lecture delivered at OpenStack Summit Hong Kong

Slides from lecture delivered at OpenStack Summit Hong Kong

Statistics

Views

Total Views
1,034
Views on SlideShare
1,034
Embed Views
0

Actions

Likes
3
Downloads
29
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Securing open stack for compliance Securing open stack for compliance Presentation Transcript

    • Securing for compliance Tomasz ‘Zen’ Napierała Sr. OpenStack Engineer ©  MIRANTIS  2013   PAGE  1  
    • Tomasz Z. Napierała Senior OpenStack Engineer @ Mirantis, Inc. automation, web performance, compliance, security ©  MIRANTIS  2013   PAGE  2  
    • Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with remote offices in Russia, Ukraine and Poland. 60+ successful OpenStack implementations and 400+ infrastructure experts. ©  MIRANTIS  2013   PAGE  3  
    • Mirantis, Inc. ©  MIRANTIS  2013   PAGE  4  
    • Agenda ©  MIRANTIS  2013   PAGE  5  
    • What’s included •  State of cloud compliance •  Modules overview •  Practical tips ©  MIRANTIS  2013   PAGE  6  
    • What’s not included •  Securing VMs •  Guarantee ©  MIRANTIS  2013   PAGE  7  
    • PCI DSS overview ©  MIRANTIS  2013   PAGE  8  
    • PCI DSS recap •  Set of policies and procedures •  Optimize security of financial data processing •  Protect cardholders •  12 general requirements •  Ongoing process •  PCI DSS version 2.0 ©  MIRANTIS  2013   PAGE  9  
    • State of compliance in cloud •  Not possible (pre 2012) •  Hard, not clear (pre 2013) •  PCI DSS 2.0 Cloud Computing Guide (Feb. 2013) •  Production deployments •  Rackspace ©  MIRANTIS  2013   PAGE  10  
    • Where are we 12  x   Rely  on  Cloud  Service  Provider   for  HW-­‐>Hypervisor  related  compliance   Phil  Cox,  RightScale   ©  MIRANTIS  2013   PAGE  11  
    • Whare are we VM   Hypervisor   Storage   Network   Hardware   ©  MIRANTIS  2013   PAGE  12  
    • PCI DSS requirements Source:  hSp://www.datasecureworks.com/images/Trustwave/pci-­‐requirements-­‐grid.png   ©  MIRANTIS  2013   PAGE  13  
    • Projects history •  Initially launched for customer (2 engineers) •  Moved into internal project (2+ engineers) •  Some parts reused in other projects •  2 clients using the tools ©  MIRANTIS  2013   PAGE  14  
    • Projects limitations •  RedHat / CentOS compatible •  Only for private IaaS clouds •  Operator centric •  Technology focused •  Everything in scope •  No “redo” •  No OpenStack patches •  No firwall management ©  MIRANTIS  2013   PAGE  15  
    • Ingredients ©  MIRANTIS  2013   PAGE  16  
    • Elements •  Baseline hardening •  HSM PoC •  Auditing system •  Log collection system •  Intra cluster secure communication •  Audit tools •  Documentation ©  MIRANTIS  2013   PAGE  17  
    • Tools •  Fuel extension •  Puppet modules •  OpenStack patches (not included) •  OpenSCAP profiles (SRR) •  Documentation •  Checklist ©  MIRANTIS  2013   PAGE  18  
    • Notes •  PCI DSS 2.0 •  NIST ©  MIRANTIS  2013   PAGE  19  
    • External dependencies •  LDAP / AD •  HSM (PoC available) •  Secure database + SSL ©  MIRANTIS  2013   PAGE  20  
    • Puppet modules ©  MIRANTIS  2013   PAGE  21  
    • aide •  File integrity checking with AIDE ©  MIRANTIS  2013   PAGE  22  
    • auditd •  Auditing and logging during boot •  Auditing ang logging in runtime •  Crucial file access monitoring •  Over 80 rules •  Based on Aqueduct project https://fedorahosted.org/ aqueduct/ ©  MIRANTIS  2013   PAGE  23  
    • baseline •  Disabling services •  Sysctl tuning •  Disabling interactive startup •  Password for single mode •  Profile tuning •  PCI DSS required info in issue/issue.net ©  MIRANTIS  2013   PAGE  24  
    • clamav •  Scanning policies •  Update policies •  Logging ©  MIRANTIS  2013   PAGE  25  
    • controller_ipsec •  Mesh tunnels between controllers ©  MIRANTIS  2013   PAGE  26  
    • limits •  Tuning system limits ©  MIRANTIS  2013   PAGE  27  
    • Logstash (+ kibana + zeromq) •  Entire log collection infrastructure •  Predefinded OpenStack inputs + filters ©  MIRANTIS  2013   PAGE  28  
    • pam •  Cracklib •  Blocking accounts ©  MIRANTIS  2013   PAGE  29  
    • pwpolicy •  Password policies ©  MIRANTIS  2013   PAGE  30  
    • rabbitmq •  Added SSL support ©  MIRANTIS  2013   PAGE  31  
    • securetty •  Disabling root login on console ©  MIRANTIS  2013   PAGE  32  
    • secureusers •  Securing internl OpenStack and systems users ©  MIRANTIS  2013   PAGE  33  
    • ssh •  Secure SSH client and server configuration ©  MIRANTIS  2013   PAGE  34  
    • sudo •  Protecting from shell escapes •  Disabling sudo su for root •  Secure defaults for sessions ©  MIRANTIS  2013   PAGE  35  
    • What’s not included •  System images •  Glance protection •  Swift encryption ©  MIRANTIS  2013   PAGE  36  
    • Tips •  HSM (PoC available) •  Compliance is not technology •  Virtualized != cloud •  Automation is a king •  Get an expert •  Get experienced QSA •  Use Quantum ©  MIRANTIS  2013   PAGE  37  
    • Notes •  Buggy egress filtering in Grizzly •  No default TLS support in VNC •  No image scanning, shredding, etc. •  User cleanup scripts •  No logging framework for tracking cloud activities? •  No granular access rights •  No default „zero access” policy ©  MIRANTIS  2013   PAGE  38  
    • Notes on 8.5 ©  MIRANTIS  2013   PAGE  39  
    • Notes on 10.1 ©  MIRANTIS  2013   PAGE  40  
    • Roadmap •  Publication will be annouced on Mirantis blog •  Planned date: end of 2013 ©  MIRANTIS  2013   PAGE  41  
    • Questions? ©  MIRANTIS  2013   PAGE  42