Openstack Security Overview - May 2012

757 views

Published on

Dome9 Co-founder & CEO, Zohar Alon, presents on OpenStack cloud security citing HP Cloud, Quantum, and his own, Dome9.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
757
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Openstack Security Overview - May 2012

  1. 1. Israel May 2012OpenStack Security Overview Israel May 20122012 and beyondZohar AlonCo-Founder & CEO Dome9 Securityzohar@dome9.com @zoharalon Dome9 Security Ltd. – http://www.dome9.com
  2. 2. Dome9 Quick Background Israel May 2012• Dome9’s Mission Manage All Cloud Security Stacks Dome9 Founded: 2010 – Operating System, First GA: Sept ‘11 Virtual Machine Backing: Opus Capital and/or any V*LAN Policy Employees: 10 – Firewall, VPN, IDS, Auditing & Logging – Technology & Service Provider Agnostic• Pat. Pending Security Automation & SSH Strengthening• Highly Affordable SaaS offering – Users installs and manages – Freemium to 4₵/server/hour
  3. 3. OpenStack Security Considerations Israel May 2012• What are you building? – Public or Private• Access Credentials? – root::alpine is good• Key Pairs – Make sure we all have a copy of all .pems in our Gmails/DBoxes• Security Groups – Any, Any, Any, Accept – It just works!• Data Sensitivity Constrains – Nothing is encrypted, unless you work hard; HTTPS is almost free• Inside the VMs – Its not my responsibility. Is it?• Other Places to avoid consider: – API security, Image Safety, Backups, Logs
  4. 4. HP Cloud – OpenStack Public IaaS Israel May 2012• Out-of-the-Box OpenStack as a public IaaS – Diablo based; Nova and Swift; in public beta now – 3 Availability Zones (≠ AWS AZ) – EC2 API compatible listener – Flat network; Floating (Elastic)/Temp Public/Private IP• Security – EC2 Style Security Groups • Inbound, port ranges, SG2SG within same AZ – Instance Authentication through SSH key-pairs • No import or sharing between AZs – Object Storage (Swift): Public or Private setting • No Data-at-rest Encryption
  5. 5. HP Cloud Security Group Israel May 2012
  6. 6. Quantum: Virtualizing the Network Israel May 2012• Tenant Facing API for network management – Enables rich multi-level network topologies – Decouples “Logical” network from “Physical” constrains• Abstract Advanced Network Elements (soon…) – Firewalls, VPNs, LBs, NAT, DHCP – We’ll manage them as they come, but be patient• Quantum Security Groups: More robust! – Per VIF vs. Per VM – Inbound and Outbound – Flexibility could lead to complexity
  7. 7. Quantum Physical vs. Virtual+ Firewalling Israel May 2012
  8. 8. Dome9 for OpenStackAnnouncing Private Cloud Connector Israel May 2012• Define, Manage and automate OpenStack SGs• Leverage Host- based Policies where required• Share your Objects: Networks, Serve rs and Users across Clouds
  9. 9. Dome9 CentralRule Your Cloud Security Policy Israel May 2012
  10. 10. Credits and Thanks Israel May 2012• Salvatore Orlando, Citrix @taturiello – http://www.infoq.com/presentations/Quantum-Virtual-Networks-for- OpenStack• Dave Lapsley, nicira @davlaps – http://slidesha.re/HQvDTk• Joshua McKenty, Piston Cloud @jmckenty – http://www.slideshare.net/joshuamckenty/open-stack-security-emea- launch• Thank you! Zohar Alon zohar@dome9.com @zoharalon• PS don’t forget to ask your DevOps to sharpen their networking skills!

×