Openstack Security Overview - May 2012


Published on

Dome9 Co-founder & CEO, Zohar Alon, presents on OpenStack cloud security citing HP Cloud, Quantum, and his own, Dome9.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Openstack Security Overview - May 2012

  1. 1. Israel May 2012OpenStack Security Overview Israel May 20122012 and beyondZohar AlonCo-Founder & CEO Dome9 @zoharalon Dome9 Security Ltd. –
  2. 2. Dome9 Quick Background Israel May 2012• Dome9’s Mission Manage All Cloud Security Stacks Dome9 Founded: 2010 – Operating System, First GA: Sept ‘11 Virtual Machine Backing: Opus Capital and/or any V*LAN Policy Employees: 10 – Firewall, VPN, IDS, Auditing & Logging – Technology & Service Provider Agnostic• Pat. Pending Security Automation & SSH Strengthening• Highly Affordable SaaS offering – Users installs and manages – Freemium to 4₵/server/hour
  3. 3. OpenStack Security Considerations Israel May 2012• What are you building? – Public or Private• Access Credentials? – root::alpine is good• Key Pairs – Make sure we all have a copy of all .pems in our Gmails/DBoxes• Security Groups – Any, Any, Any, Accept – It just works!• Data Sensitivity Constrains – Nothing is encrypted, unless you work hard; HTTPS is almost free• Inside the VMs – Its not my responsibility. Is it?• Other Places to avoid consider: – API security, Image Safety, Backups, Logs
  4. 4. HP Cloud – OpenStack Public IaaS Israel May 2012• Out-of-the-Box OpenStack as a public IaaS – Diablo based; Nova and Swift; in public beta now – 3 Availability Zones (≠ AWS AZ) – EC2 API compatible listener – Flat network; Floating (Elastic)/Temp Public/Private IP• Security – EC2 Style Security Groups • Inbound, port ranges, SG2SG within same AZ – Instance Authentication through SSH key-pairs • No import or sharing between AZs – Object Storage (Swift): Public or Private setting • No Data-at-rest Encryption
  5. 5. HP Cloud Security Group Israel May 2012
  6. 6. Quantum: Virtualizing the Network Israel May 2012• Tenant Facing API for network management – Enables rich multi-level network topologies – Decouples “Logical” network from “Physical” constrains• Abstract Advanced Network Elements (soon…) – Firewalls, VPNs, LBs, NAT, DHCP – We’ll manage them as they come, but be patient• Quantum Security Groups: More robust! – Per VIF vs. Per VM – Inbound and Outbound – Flexibility could lead to complexity
  7. 7. Quantum Physical vs. Virtual+ Firewalling Israel May 2012
  8. 8. Dome9 for OpenStackAnnouncing Private Cloud Connector Israel May 2012• Define, Manage and automate OpenStack SGs• Leverage Host- based Policies where required• Share your Objects: Networks, Serve rs and Users across Clouds
  9. 9. Dome9 CentralRule Your Cloud Security Policy Israel May 2012
  10. 10. Credits and Thanks Israel May 2012• Salvatore Orlando, Citrix @taturiello – OpenStack• Dave Lapsley, nicira @davlaps –• Joshua McKenty, Piston Cloud @jmckenty – launch• Thank you! Zohar Alon @zoharalon• PS don’t forget to ask your DevOps to sharpen their networking skills!