SlideShare a Scribd company logo

Holistic Security for OpenStack Clouds

Major Hayden
Major Hayden

Nothing clears out a conference room faster than a discussion around information security. Securing complex computer systems, such as OpenStack clouds, is extremely difficult. To make matters worse, attackers can make many mistakes without consequences. A defender’s single mistake could lead to a breach. Don't let fear rule the discussion around security. Operators need a simple and scalable method for securing OpenStack clouds. That starts with grouping components into compartments and then looking at how those compartments interact with each other. Those interactions form the backbone of security policies and technical controls. In this vendor-neutral talk, Major Hayden, principal architect at Rackspace, will break down the complexity of securing OpenStack clouds using real-world scenarios. Attendees will learn how to: Divide OpenStack deployments into compartments Analyze the interactions between each component Develop security policies and apply technical controls

Technology
1 of 53
Download to read offline
Holistic Security for OpenStack Clouds Major Hayden Principal Architect, Rackspace @majorhayden Photo credit: bastiend (Flickr)
Image credit: Wikipedia
Security feels like this Image credit: Wikipedia
Securing complex systems creates more challenges
Securing OpenStack can feel like taking a trip to the Upside Down.
It doesn’t have to be that way (even with something as complex as OpenStack) Image credit: Pixabay
The key is taking the right approach to secure a complex system.
Major Hayden Principal Architect ● At Rackspace since 2006 ● Working on OpenStack since 2012 ● Focused on information security for Rackspace Private Cloud ● Fedora Linux contributor; Fedora Security Team and Server Working Group member ● Has a terrible domain name purchase habit (please, no ideas for domain names today)
Holistic characterized by comprehension of the parts of something as intimately interconnected and explicable only by reference to the whole -- Oxford English Dictionary
The holistic approach for humans considers a person to be made of a body, a mind, and a spirit. Image credit: Pixabay
The holistic approach for OpenStack considers a cloud to be made of servers, software, and a business goal.
A holistic approach to security involves people, processes, and technologies working in tandem.
“The whole is greater than the sum of its parts, especially in the case of OpenStack.” -- (partially) Aristotle Image credit: Wikipedia
How does this apply to securing an OpenStack cloud? Let’s do a quick security refresher.
Assume that attackers will get inside eventually. Image credit: Pixabay
Attackers are on offense. They can be wrong many times. Defenders can only be wrong once for a breach to occur.
Securing only the outer perimeter is not sufficient.
We must secure our OpenStack cloud. We need to go deeper.
We just bought an expensive firewall for the perimeter. Isn’t that enough?
(no caption necessary)
Build small security improvements at multiple layers.* * This is the cornerstone of defense-in-depth.
Individually, these changes may not seem to have much value. All of these changes create a strong, valuable security strategy when they are added together.
Let’s get to the good stuff. Image credit: Pexels
Work from the outside in (just like you would at a fancy dinner) Image credit: Wikipedia
Four layers Outer perimeter Control and data planes Control plane deep dive: OpenStack services and backend services OpenStack services deep dive Image credit: imageme (Flickr)
The outer perimeter Image credit: Pixabay
OUTER PERIMETER SECURITY GOAL: Convince your attackers that it’s easier to attack someone else’s cloud
Key concepts Make it expensive for attackers to breach your perimeter defense When they do make it through, ensure that you know about it immediately Perimeters usually have openings on the outside and inside -- secure both of them
Tactical objectives Require a VPN for access from external networks Segregate internal networks using a firewall or an internally-facing VPN Monitor all logins (successful and unsuccessful) for unusual activity Track bandwidth usage trends using netflow data
Secure the perimeter VPN Internet Corporate network Firewall Log collector Alert system Netflow collector Auth system
Control and data planes Image credit: Pixabay
Control and data plane Control plane keystone, nova, glance, cinder, neutron, horizon, rabbitmq, mysql, memcached Data plane Hypervisors and tenant-built items (VMs, containers, networks, storage)
CONTROL/DATA PLANES SECURITY GOAL: Keep the inner workings of your OpenStack cloud separated from tenant infrastructure
Key concepts Tenant infrastructure should have extremely limited access to the control plane, and vice versa A misconfigured tenant VM could open a wide hole in your secure network Protect your cloud from VM exit exploits that allow attackers to gain hypervisor access
Tactical objectives Separate control plane, hypervisors and tenant infrastructure with VLANs and strict firewall rules (and monitor dropped packets) Use SELinux or AppArmor on hypervisors to reduce the impact of VM and container exit exploits
Hypervisor Linux Security Module refresher Three popular implementations: SELinux, AppArmor, and TOMOYO sVirt (in libvirt) ensures that all processes are labeled properly (SELinux) or have profiles configured (AppArmor) VM exit exploits are confined in most situations Tenant VM Storage Network Linux Security Module
Do not disable SELinux or AppArmor on your hypervisors. (Seriously. Leave it enabled.)
Control plane deep dive: OpenStack and backend services Image credit: Wikipedia
CONTROL PLANE SECURITY GOAL: Heavily restrict lateral movement and restrict access to the “crown jewels” “crown jewels” are the databases and message queues in your OpenStack cloud
Control plane deep dive OpenStack services keystone, nova, glance, cinder, neutron, horizon Backend services mysql, rabbitmq, memcached, syslog The “crown jewels” are here The map to the “crown jewels” is here
Key concepts Allow the least amount of access possible from the OpenStack services to backend services Further restrict access to specific ports, sources, and destinations Deploy services into containers to apply fine-tuned network and process restrictions
Tactical objectives Use a load balancer or firewall to create a “choke point” between OpenStack and backend services Monitor messaging and database performance closely to look for anomalies or unauthorized access Use unique credentials for each MySQL database and RabbitMQ virtual host
OpenStack services deep dive Image credit: Wikipedia
OPENSTACK SERVICES SECURITY GOAL: Know what valid communication looks like and alert on everything else
OpenStack has many (predictable) interactions
Key concepts OpenStack services are heavily interconnected, but the connections are predictable Limit access between OpenStack services and monitor any invalid questions
Tactical objectives Use iptables rules to limit access between OpenStack services; alert on any invalid connections Give each service a different keystone service account (with different credentials) Monitor closely for high bandwidth usage and high connection counts
Let’s wrap up
Analyze. Isolate. Monitor. Repeat.
These small security changes add up to a strong defense Image credit: Wikipedia
Try OpenStack-Ansible OpenStack-Ansible deploys enterprise-grade OpenStack clouds using Ansible. Security and reliability are two of the core priorities for the project. Most of the security changes in this talk are already implemented. Learn more: http://bit.ly/openstack-ansible
RACKSPACE PRIVATE CLOUD POWERED BY OPENSTACK® Learn more about our proven operational expertise, industry-leading reliability, and OpenStack Everywhere. Join us at the Rackspace booth (A22) in the OpenStack Marketplace. RACKSPACE INVENTED OPENSTACK® – NOW WE'RE PERFECTING IT
Thank you! Major Hayden @majorhayden major.hayden@rackspace.com Photo credit: bastiend (Flickr)

Recommended

OpenStack Security Project
OpenStack Security ProjectOpenStack Security Project
OpenStack Security Project
Travis McPeak
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
openfly
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-Ansible
Major Hayden
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
brian_chong
 
Security Issues in OpenStack
Security Issues in OpenStackSecurity Issues in OpenStack
Security Issues in OpenStack
oldbam
 
When flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and AnsibleWhen flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and Ansible
Major Hayden
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible Security
Major Hayden
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
openstackindia
 

Recommended

OpenStack Security Project
OpenStack Security ProjectOpenStack Security Project
OpenStack Security Project
Travis McPeak
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
openfly
 
Automated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-AnsibleAutomated Security Hardening with OpenStack-Ansible
Automated Security Hardening with OpenStack-Ansible
Major Hayden
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
brian_chong
 
Security Issues in OpenStack
Security Issues in OpenStackSecurity Issues in OpenStack
Security Issues in OpenStack
oldbam
 
When flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and AnsibleWhen flexibility met simplicity: the friendship of OpenStack and Ansible
When flexibility met simplicity: the friendship of OpenStack and Ansible
Major Hayden
 
OpenStack-Ansible Security
OpenStack-Ansible SecurityOpenStack-Ansible Security
OpenStack-Ansible Security
Major Hayden
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
openstackindia
 
Setting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab CloudSetting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab Cloud
Fernando Lopez Aguilar
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
Giuseppe Paterno'
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE Lab
FIWARE
 
Join FIWARE Lab
Join FIWARE LabJoin FIWARE Lab
Join FIWARE Lab
Federico Michele Facca
 
OpenStack Introduction
OpenStack IntroductionOpenStack Introduction
OpenStack Introduction
Roy Gilad
 
Fiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environmentFiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environment
Miguel García González
 
FIWARE Lab
FIWARE LabFIWARE Lab
FIWARE Lab
Miguel González
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
Edureka!
 
Introduction Openstack
Introduction OpenstackIntroduction Openstack
Introduction Openstack
Ranjith Kumar
 
Openstack101 - Introduction to OpenStack
Openstack101 - Introduction to OpenStackOpenstack101 - Introduction to OpenStack
Openstack101 - Introduction to OpenStack
vinoth kumar selvaraj
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
Jayaprakash R
 
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
XHANI TRUNGU
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
Cisco DevNet
 
Cisco deploying openstack with UCS
Cisco deploying openstack with UCSCisco deploying openstack with UCS
Cisco deploying openstack with UCS
solarisyougood
 
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
Edureka!
 
OpenStack Architecture: Past and Future
OpenStack Architecture: Past and FutureOpenStack Architecture: Past and Future
OpenStack Architecture: Past and Future
Ken Pepple
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
CREATE-NET
 
Keystone Updates - Kilo Edition
Keystone Updates - Kilo EditionKeystone Updates - Kilo Edition
Keystone Updates - Kilo Edition
OpenStack Foundation
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
Keith Tobin
 
Code to-cloud toolchain-LA OpenStack meet up-20140626
Code to-cloud toolchain-LA OpenStack meet up-20140626Code to-cloud toolchain-LA OpenStack meet up-20140626
Code to-cloud toolchain-LA OpenStack meet up-20140626
aedocw
 
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Major Hayden
 

More Related Content

What's hot

Introduction Openstack
Introduction OpenstackIntroduction Openstack
Introduction Openstack
Ranjith Kumar
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
Keith Tobin
 

What's hot (20)

Setting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab CloudSetting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab Cloud
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE Lab
 
Join FIWARE Lab
Join FIWARE LabJoin FIWARE Lab
Join FIWARE Lab
 
OpenStack Introduction
OpenStack IntroductionOpenStack Introduction
OpenStack Introduction
 
Fiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environmentFiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environment
 
FIWARE Lab
FIWARE LabFIWARE Lab
FIWARE Lab
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
 
Introduction Openstack
Introduction OpenstackIntroduction Openstack
Introduction Openstack
 
Openstack101 - Introduction to OpenStack
Openstack101 - Introduction to OpenStackOpenstack101 - Introduction to OpenStack
Openstack101 - Introduction to OpenStack
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
 
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
 
Cisco deploying openstack with UCS
Cisco deploying openstack with UCSCisco deploying openstack with UCS
Cisco deploying openstack with UCS
 
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
 
OpenStack Architecture: Past and Future
OpenStack Architecture: Past and FutureOpenStack Architecture: Past and Future
OpenStack Architecture: Past and Future
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
 
Keystone Updates - Kilo Edition
Keystone Updates - Kilo EditionKeystone Updates - Kilo Edition
Keystone Updates - Kilo Edition
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
 

Viewers also liked

Code to-cloud toolchain-LA OpenStack meet up-20140626
Code to-cloud toolchain-LA OpenStack meet up-20140626Code to-cloud toolchain-LA OpenStack meet up-20140626
Code to-cloud toolchain-LA OpenStack meet up-20140626
aedocw
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Peter Souter
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Giuseppe Paterno'
 

Viewers also liked (20)

Code to-cloud toolchain-LA OpenStack meet up-20140626
Code to-cloud toolchain-LA OpenStack meet up-20140626Code to-cloud toolchain-LA OpenStack meet up-20140626
Code to-cloud toolchain-LA OpenStack meet up-20140626
 
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong Kong
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
 
OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)
 
Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016
 
How to Develop OpenStack
How to Develop OpenStackHow to Develop OpenStack
How to Develop OpenStack
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
 
OpenStack Report
OpenStack ReportOpenStack Report
OpenStack Report
 
Accelerate your business and reduce cost with OpenStack
Accelerate your business and reduce cost with OpenStackAccelerate your business and reduce cost with OpenStack
Accelerate your business and reduce cost with OpenStack
 
Logging/Request Tracing in Distributed Environment
Logging/Request Tracing in Distributed EnvironmentLogging/Request Tracing in Distributed Environment
Logging/Request Tracing in Distributed Environment
 
OpenStack and OpenDaylight Workshop: ONUG Spring 2014
OpenStack and OpenDaylight Workshop: ONUG Spring 2014OpenStack and OpenDaylight Workshop: ONUG Spring 2014
OpenStack and OpenDaylight Workshop: ONUG Spring 2014
 
오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기
 
Training Ensimag OpenStack 2016
Training Ensimag OpenStack 2016Training Ensimag OpenStack 2016
Training Ensimag OpenStack 2016
 
OpenStack and DevOps - DevOps Meetup
OpenStack and DevOps - DevOps MeetupOpenStack and DevOps - DevOps Meetup
OpenStack and DevOps - DevOps Meetup
 
Integration testing for salt states using aws ec2 container service
Integration testing for salt states using aws ec2 container serviceIntegration testing for salt states using aws ec2 container service
Integration testing for salt states using aws ec2 container service
 
Openstack Installation (ver. liberty)
Openstack Installation (ver. liberty)Openstack Installation (ver. liberty)
Openstack Installation (ver. liberty)
 
Openstack meetup: NFV and Openstack
Openstack meetup: NFV and OpenstackOpenstack meetup: NFV and Openstack
Openstack meetup: NFV and Openstack
 
OpenStack and private cloud
OpenStack and private cloudOpenStack and private cloud
OpenStack and private cloud
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
 

Similar to Holistic Security for OpenStack Clouds

New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
Iben Rodriguez
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
fanc1985
 
2015 04 bio it world
2015 04 bio it world2015 04 bio it world
2015 04 bio it world
Chris Dwan
 

Similar to Holistic Security for OpenStack Clouds (20)

Securing OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleSecuring OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with Ansible
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
Getting started with open stack
Getting started with open stackGetting started with open stack
Getting started with open stack
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ Kalasalingam
 
Openstack
OpenstackOpenstack
Openstack
 
Cloud computing and bioinformatics
Cloud computing and bioinformaticsCloud computing and bioinformatics
Cloud computing and bioinformatics
 
GDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack IntroductionGDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack Introduction
 
An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017
 
What is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutionsWhat is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutions
 
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
 
Hybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudHybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper Cloud
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
 
Make your OpenStack Cloud Self-Defending with VESPA!
Make your OpenStack Cloud Self-Defending with VESPA!Make your OpenStack Cloud Self-Defending with VESPA!
Make your OpenStack Cloud Self-Defending with VESPA!
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Cloud Infrastructure
Cloud InfrastructureCloud Infrastructure
Cloud Infrastructure
 
2015 04 bio it world
2015 04 bio it world2015 04 bio it world
2015 04 bio it world
 
Openstack Pakistan intro
Openstack Pakistan introOpenstack Pakistan intro
Openstack Pakistan intro
 
As34269277
As34269277As34269277
As34269277
 

More from Major Hayden

More from Major Hayden (14)

Continuous Kernel Integration
Continuous Kernel IntegrationContinuous Kernel Integration
Continuous Kernel Integration
 
I was too burned out to name this talk
I was too burned out to name this talkI was too burned out to name this talk
I was too burned out to name this talk
 
Cookies for kernel developers
Cookies for kernel developersCookies for kernel developers
Cookies for kernel developers
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017
 
Grow your community: Inspire an Impostor
Grow your community: Inspire an ImpostorGrow your community: Inspire an Impostor
Grow your community: Inspire an Impostor
 
Flexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleFlexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-Ansible
 
Taming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San AntonioTaming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San Antonio
 
Taming the Technical Talk
Taming the Technical TalkTaming the Technical Talk
Taming the Technical Talk
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 
Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
 
Cloud Data Security
Cloud Data SecurityCloud Data Security
Cloud Data Security
 
ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Holistic Security for OpenStack Clouds

  • 1. Holistic Security for OpenStack Clouds Major Hayden Principal Architect, Rackspace @majorhayden Photo credit: bastiend (Flickr)
  • 3. Security feels like this Image credit: Wikipedia
  • 5. Securing OpenStack can feel like taking a trip to the Upside Down.
  • 6. It doesn’t have to be that way (even with something as complex as OpenStack) Image credit: Pixabay
  • 7. The key is taking the right approach to secure a complex system.
  • 8. Major Hayden Principal Architect ● At Rackspace since 2006 ● Working on OpenStack since 2012 ● Focused on information security for Rackspace Private Cloud ● Fedora Linux contributor; Fedora Security Team and Server Working Group member ● Has a terrible domain name purchase habit (please, no ideas for domain names today)
  • 9. Holistic characterized by comprehension of the parts of something as intimately interconnected and explicable only by reference to the whole -- Oxford English Dictionary
  • 10. The holistic approach for humans considers a person to be made of a body, a mind, and a spirit. Image credit: Pixabay
  • 11. The holistic approach for OpenStack considers a cloud to be made of servers, software, and a business goal.
  • 12. A holistic approach to security involves people, processes, and technologies working in tandem.
  • 13. “The whole is greater than the sum of its parts, especially in the case of OpenStack.” -- (partially) Aristotle Image credit: Wikipedia
  • 14. How does this apply to securing an OpenStack cloud? Let’s do a quick security refresher.
  • 15. Assume that attackers will get inside eventually. Image credit: Pixabay
  • 16. Attackers are on offense. They can be wrong many times. Defenders can only be wrong once for a breach to occur.
  • 17. Securing only the outer perimeter is not sufficient.
  • 18. We must secure our OpenStack cloud. We need to go deeper.
  • 19. We just bought an expensive firewall for the perimeter. Isn’t that enough?
  • 21. Build small security improvements at multiple layers.* * This is the cornerstone of defense-in-depth.
  • 22. Individually, these changes may not seem to have much value. All of these changes create a strong, valuable security strategy when they are added together.
  • 23. Let’s get to the good stuff. Image credit: Pexels
  • 24. Work from the outside in (just like you would at a fancy dinner) Image credit: Wikipedia
  • 25. Four layers Outer perimeter Control and data planes Control plane deep dive: OpenStack services and backend services OpenStack services deep dive Image credit: imageme (Flickr)
  • 26. The outer perimeter Image credit: Pixabay
  • 27. OUTER PERIMETER SECURITY GOAL: Convince your attackers that it’s easier to attack someone else’s cloud
  • 28. Key concepts Make it expensive for attackers to breach your perimeter defense When they do make it through, ensure that you know about it immediately Perimeters usually have openings on the outside and inside -- secure both of them
  • 29. Tactical objectives Require a VPN for access from external networks Segregate internal networks using a firewall or an internally-facing VPN Monitor all logins (successful and unsuccessful) for unusual activity Track bandwidth usage trends using netflow data
  • 30. Secure the perimeter VPN Internet Corporate network Firewall Log collector Alert system Netflow collector Auth system
  • 31. Control and data planes Image credit: Pixabay
  • 32. Control and data plane Control plane keystone, nova, glance, cinder, neutron, horizon, rabbitmq, mysql, memcached Data plane Hypervisors and tenant-built items (VMs, containers, networks, storage)
  • 33. CONTROL/DATA PLANES SECURITY GOAL: Keep the inner workings of your OpenStack cloud separated from tenant infrastructure
  • 34. Key concepts Tenant infrastructure should have extremely limited access to the control plane, and vice versa A misconfigured tenant VM could open a wide hole in your secure network Protect your cloud from VM exit exploits that allow attackers to gain hypervisor access
  • 35. Tactical objectives Separate control plane, hypervisors and tenant infrastructure with VLANs and strict firewall rules (and monitor dropped packets) Use SELinux or AppArmor on hypervisors to reduce the impact of VM and container exit exploits
  • 36. Hypervisor Linux Security Module refresher Three popular implementations: SELinux, AppArmor, and TOMOYO sVirt (in libvirt) ensures that all processes are labeled properly (SELinux) or have profiles configured (AppArmor) VM exit exploits are confined in most situations Tenant VM Storage Network Linux Security Module
  • 37. Do not disable SELinux or AppArmor on your hypervisors. (Seriously. Leave it enabled.)
  • 38. Control plane deep dive: OpenStack and backend services Image credit: Wikipedia
  • 39. CONTROL PLANE SECURITY GOAL: Heavily restrict lateral movement and restrict access to the “crown jewels” “crown jewels” are the databases and message queues in your OpenStack cloud
  • 40. Control plane deep dive OpenStack services keystone, nova, glance, cinder, neutron, horizon Backend services mysql, rabbitmq, memcached, syslog The “crown jewels” are here The map to the “crown jewels” is here
  • 41. Key concepts Allow the least amount of access possible from the OpenStack services to backend services Further restrict access to specific ports, sources, and destinations Deploy services into containers to apply fine-tuned network and process restrictions
  • 42. Tactical objectives Use a load balancer or firewall to create a “choke point” between OpenStack and backend services Monitor messaging and database performance closely to look for anomalies or unauthorized access Use unique credentials for each MySQL database and RabbitMQ virtual host
  • 43. OpenStack services deep dive Image credit: Wikipedia
  • 44. OPENSTACK SERVICES SECURITY GOAL: Know what valid communication looks like and alert on everything else
  • 45. OpenStack has many (predictable) interactions
  • 46. Key concepts OpenStack services are heavily interconnected, but the connections are predictable Limit access between OpenStack services and monitor any invalid questions
  • 47. Tactical objectives Use iptables rules to limit access between OpenStack services; alert on any invalid connections Give each service a different keystone service account (with different credentials) Monitor closely for high bandwidth usage and high connection counts
  • 50. These small security changes add up to a strong defense Image credit: Wikipedia
  • 51. Try OpenStack-Ansible OpenStack-Ansible deploys enterprise-grade OpenStack clouds using Ansible. Security and reliability are two of the core priorities for the project. Most of the security changes in this talk are already implemented. Learn more: http://bit.ly/openstack-ansible
  • 52. RACKSPACE PRIVATE CLOUD POWERED BY OPENSTACK® Learn more about our proven operational expertise, industry-leading reliability, and OpenStack Everywhere. Join us at the Rackspace booth (A22) in the OpenStack Marketplace. RACKSPACE INVENTED OPENSTACK® – NOW WE'RE PERFECTING IT