Securing open stack for compliance

2,493 views

Published on

Slides from lecture delivered at OpenStack Summit Hong Kong

Published in: Technology, Education

Securing open stack for compliance

  1. 1. Securing for compliance Tomasz ‘Zen’ Napierała Sr. OpenStack Engineer ©  MIRANTIS  2013   PAGE  1  
  2. 2. Tomasz Z. Napierała Senior OpenStack Engineer @ Mirantis, Inc. automation, web performance, compliance, security ©  MIRANTIS  2013   PAGE  2  
  3. 3. Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with remote offices in Russia, Ukraine and Poland. 60+ successful OpenStack implementations and 400+ infrastructure experts. ©  MIRANTIS  2013   PAGE  3  
  4. 4. Mirantis, Inc. ©  MIRANTIS  2013   PAGE  4  
  5. 5. Agenda ©  MIRANTIS  2013   PAGE  5  
  6. 6. What’s included •  State of cloud compliance •  Modules overview •  Practical tips ©  MIRANTIS  2013   PAGE  6  
  7. 7. What’s not included •  Securing VMs •  Guarantee ©  MIRANTIS  2013   PAGE  7  
  8. 8. PCI DSS overview ©  MIRANTIS  2013   PAGE  8  
  9. 9. PCI DSS recap •  Set of policies and procedures •  Optimize security of financial data processing •  Protect cardholders •  12 general requirements •  Ongoing process •  PCI DSS version 2.0 ©  MIRANTIS  2013   PAGE  9  
  10. 10. State of compliance in cloud •  Not possible (pre 2012) •  Hard, not clear (pre 2013) •  PCI DSS 2.0 Cloud Computing Guide (Feb. 2013) •  Production deployments •  Rackspace ©  MIRANTIS  2013   PAGE  10  
  11. 11. Where are we 12  x   Rely  on  Cloud  Service  Provider   for  HW-­‐>Hypervisor  related  compliance   Phil  Cox,  RightScale   ©  MIRANTIS  2013   PAGE  11  
  12. 12. Whare are we VM   Hypervisor   Storage   Network   Hardware   ©  MIRANTIS  2013   PAGE  12  
  13. 13. PCI DSS requirements Source:  hSp://www.datasecureworks.com/images/Trustwave/pci-­‐requirements-­‐grid.png   ©  MIRANTIS  2013   PAGE  13  
  14. 14. Projects history •  Initially launched for customer (2 engineers) •  Moved into internal project (2+ engineers) •  Some parts reused in other projects •  2 clients using the tools ©  MIRANTIS  2013   PAGE  14  
  15. 15. Projects limitations •  RedHat / CentOS compatible •  Only for private IaaS clouds •  Operator centric •  Technology focused •  Everything in scope •  No “redo” •  No OpenStack patches •  No firwall management ©  MIRANTIS  2013   PAGE  15  
  16. 16. Ingredients ©  MIRANTIS  2013   PAGE  16  
  17. 17. Elements •  Baseline hardening •  HSM PoC •  Auditing system •  Log collection system •  Intra cluster secure communication •  Audit tools •  Documentation ©  MIRANTIS  2013   PAGE  17  
  18. 18. Tools •  Fuel extension •  Puppet modules •  OpenStack patches (not included) •  OpenSCAP profiles (SRR) •  Documentation •  Checklist ©  MIRANTIS  2013   PAGE  18  
  19. 19. Notes •  PCI DSS 2.0 •  NIST ©  MIRANTIS  2013   PAGE  19  
  20. 20. External dependencies •  LDAP / AD •  HSM (PoC available) •  Secure database + SSL ©  MIRANTIS  2013   PAGE  20  
  21. 21. Puppet modules ©  MIRANTIS  2013   PAGE  21  
  22. 22. aide •  File integrity checking with AIDE ©  MIRANTIS  2013   PAGE  22  
  23. 23. auditd •  Auditing and logging during boot •  Auditing ang logging in runtime •  Crucial file access monitoring •  Over 80 rules •  Based on Aqueduct project https://fedorahosted.org/ aqueduct/ ©  MIRANTIS  2013   PAGE  23  
  24. 24. baseline •  Disabling services •  Sysctl tuning •  Disabling interactive startup •  Password for single mode •  Profile tuning •  PCI DSS required info in issue/issue.net ©  MIRANTIS  2013   PAGE  24  
  25. 25. clamav •  Scanning policies •  Update policies •  Logging ©  MIRANTIS  2013   PAGE  25  
  26. 26. controller_ipsec •  Mesh tunnels between controllers ©  MIRANTIS  2013   PAGE  26  
  27. 27. limits •  Tuning system limits ©  MIRANTIS  2013   PAGE  27  
  28. 28. Logstash (+ kibana + zeromq) •  Entire log collection infrastructure •  Predefinded OpenStack inputs + filters ©  MIRANTIS  2013   PAGE  28  
  29. 29. pam •  Cracklib •  Blocking accounts ©  MIRANTIS  2013   PAGE  29  
  30. 30. pwpolicy •  Password policies ©  MIRANTIS  2013   PAGE  30  
  31. 31. rabbitmq •  Added SSL support ©  MIRANTIS  2013   PAGE  31  
  32. 32. securetty •  Disabling root login on console ©  MIRANTIS  2013   PAGE  32  
  33. 33. secureusers •  Securing internl OpenStack and systems users ©  MIRANTIS  2013   PAGE  33  
  34. 34. ssh •  Secure SSH client and server configuration ©  MIRANTIS  2013   PAGE  34  
  35. 35. sudo •  Protecting from shell escapes •  Disabling sudo su for root •  Secure defaults for sessions ©  MIRANTIS  2013   PAGE  35  
  36. 36. What’s not included •  System images •  Glance protection •  Swift encryption ©  MIRANTIS  2013   PAGE  36  
  37. 37. Tips •  HSM (PoC available) •  Compliance is not technology •  Virtualized != cloud •  Automation is a king •  Get an expert •  Get experienced QSA •  Use Quantum ©  MIRANTIS  2013   PAGE  37  
  38. 38. Notes •  Buggy egress filtering in Grizzly •  No default TLS support in VNC •  No image scanning, shredding, etc. •  User cleanup scripts •  No logging framework for tracking cloud activities? •  No granular access rights •  No default „zero access” policy ©  MIRANTIS  2013   PAGE  38  
  39. 39. Notes on 8.5 ©  MIRANTIS  2013   PAGE  39  
  40. 40. Notes on 10.1 ©  MIRANTIS  2013   PAGE  40  
  41. 41. Roadmap •  Publication will be annouced on Mirantis blog •  Planned date: end of 2013 ©  MIRANTIS  2013   PAGE  41  
  42. 42. Questions? ©  MIRANTIS  2013   PAGE  42  

×