Top Ten Security Considerations when Setting up your OpenNebula Cloud
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Slideshows for you (20)
Similar to Make your OpenStack Cloud Self-Defending with VESPA! (20)
Recently uploaded (20)
Make your OpenStack Cloud Self-Defending with VESPA!
- 1. Make your OpenStack Cloud Self-Defending with VESPA! Marc Lacoste Aurélien Wailly Orange Labs OpenStack Summit Paris, November 5, 2014.
- 2. Agenda Motivation and Approach VESPA : Principle and Architecture A Typical Use Case The VESPA Project Perspectives & KeyTake Aways
- 3. What's Wrong with IaaS Today? THREAT proliferation system threats network threats cross-layer security end-to-end security STRONG security Perform 360° security supervision Design open security architecture COMPLEXITY of security management SIMPLE security Ease administration Reduce OPEX Increase efficiency Security administration Diverse mechanisms Manual configuration nightmare Static management Low reactivity
- 4. Our Approach IaaS Clouds with Self-Defense Capabilities Autonomous security management makes cloud protection simpler and stronger. Lighter administration. Increased reactivity. Lower operational costs. Graduated response. Security supervision enabler.
- 5. What is VESPA? = Virtual Environments Self-Protecting Architecture An automated security supervision framework for IaaS and multi-DC infrastructures APPLICATIONS CLOUD PROVIDER IaaS monitoring Anti-malware. Anti-DDoS. End-to-end security. CUSTOMERS SecaaS appliances STRONG SECURITY Cross-layer security: detect / respond to overall extent of attack. Open architecture: mitigate new threats, integrate legacy counter-measures. SIMPLE SECURITY Automated security supervision: choose in-layer, cross-layer, multi-DC. Tuneable defense patterns: orchestrate multiple loops for rich defense strategy. Design principles
- 6. VESPA System Architecture HO Resource Plane Security Plane Agent Plane Orchestration Plane VM Hypervisor Physical VO HO DETECTION Detection Manager Detection Agent DECISION REACTION Reaction Manager Reaction Agent RESOURCES
- 7. VESPA System Architecture HO Resource Plane Security Plane Agent Plane Orchestration Plane Intra-Layer Self-Protection VM Hypervisor Physical VO HO DETECTION Detection Manager Detection Agent DECISION REACTION Reaction Manager Reaction Agent RESOURCES
- 8. VESPA System Architecture HO Resource Plane Security Plane Agent Plane Orchestration Plane Cross-Layer Self-Protection VM Hypervisor Physical VO HO DETECTION Detection Manager Detection Agent DECISION REACTION Reaction Manager Reaction Agent RESOURCES
- 9. Use Case: Risk-Aware Flexible VM Confinement Dynamic VM quarantine : An instantiation :
- 10. A VESPA Implementation Three levels of self-protection: Extension to other OpenStack services (e.g., Nova, Neutron, Ceph/Glance, KeyStone) using dedicated agents for mediation.
- 11. The VESPA Project RESULTS Framework: supervision of single cloud and multi-DC security. Available in open source. Different applications demonstrating viability of self-defending cloud concept. Research results : Framework [ICAC’12]. So far CURRENT VESPA FUNCTIONALITIES VESPA = core + security plug-ins. Supported In progress Anti-virus Integration with Heat + Horizon Hypervisor control Network zones Firewall vSwitch management (SDN) Log analysis A. Wailly, M. Lacoste, H. Debar. “VESPA: Multi-Layered Self-Protection for Cloud Resources”. ACM International Conference on Autonomic Computing (ICAC), San José, USA, September 2012. Extensions: Network management (SDN approach). Mobile cloud SLAs: Orange MC2 [UCC’13]. VMM self-protection: KungFuVisor [EURODW’12], self-stabilization [DSS’14]. Keynotes [SSS’11], panels [IM’11, NOMS’14], tutorials [ICAR’13, MOBILECLOUD’14]. Code available at : https://github.com/Orange-OpenSource/vespa-core
- 12. Perspectives Next steps Hardened code base, push in more features: Deployment of components. Administration console. IDS plug-in. Secure communications. Perimetric defense… More advanced functionalities: Security policy / SLA management. Hypervisor defense. Integration within OpenStack: Blueprint submission. Extension to Nova? Neutron? Others? Standalone OpenStack project? Going multi-cloud For distributed clouds For edge clouds For convergence with SDN/NFV security
- 13. Key Take Aways = a framework for supervising security of IaaS infrastructures. Fills a gap among existing security solutions. brings cloud security supervision intelligence : Simple security: rich levels of security automation. Strong security: multi-level protection + a fully open design to integrate existing security solutions. may come in several deployment modes : VESPA-ready IaaS to protect infrastructure and/or customer VMs. Security appliance. SaaS (security supervision enabler). Taking it to the next level : Compatibility with architecture and mechanisms. Looking for feedback from community to integrate new releases!
- 14. Thank you! Contacts: marc.lacoste@orange.com aurelien.wailly@orange.com
