3. STEP 1
Ask Questions
Key Questions:
1) What are the various techniques used to
authenticate users to the cloud?
Why is cloud authentication the paramount component
of cloud security?
2) How secure is authentication in the cloud?
Are there security issues in elements other than the
cloud system (ex. physical security, databases, etc.) ?
3
4. Establish a research environment
OpenStack, open-source cloud software
Research authentication measures for the specified
environment
Keystone, OpenStack’s authentication service
Horizon Dashboard, OpenStack’s graphical interface for
administrators to manage cloud resources
STEP 2
Research
4
5. STEP 3
Threat Statement
An attacker can obtain credentials of the cloud
administrator through hacking and/or social
engineering and use them to authenticate to a cloud and
temporarily or permanently damage normal operations.
5
8. STEP 6
Results
Overview:
Information in the captured session cookie revealed
user credentials.
Why?
The credentials were insecure because by default,
Horizon uses HTTP for web communications
instead of the more secure HTTPS.
8
9. STEP 7
Devising a Solution
Problem Source: Use of HTTP
Solution: Enable HTTPS for communications
Avoiding similar problems in future:
Follow security guidelines
Properly configure new software
Regularly check existing software for vulnerabilities and
apply patches
9
13. 13
Shown above is a command used to get the version number of OpenStack’s compute service, Nova.
14. 14
This is an error encountered while using SSH to connect to an OpenStack instance. It is occurring because
the key pair file used for security is not being accessed privately by the user who generated it.
15. 15
Above is an image of the OpenStack Dashboard. It currently shows several images that can be launched as instances in the cloud.
16. 16
Below is a screenshot from Ubuntu showing the main devstack directory.