SlideShare a Scribd company logo
Holistic Security for
OpenStack Clouds
Major Hayden
Principal Architect, Rackspace
@majorhayden
Photo credit: bastiend (Flickr)
Image credit: Wikipedia
Security feels like this
Image credit: Wikipedia
Securing complex
systems creates
more challenges
Securing OpenStack can feel like
taking a trip to the Upside Down.
It doesn’t have to be that way
(even with something as complex as OpenStack)
Image credit: Pixabay
The key is
taking the right approach
to secure a complex system.
Major Hayden
Principal Architect
● At Rackspace since 2006
● Working on OpenStack since 2012
● Focused on information security for
Rackspace Private Cloud
● Fedora Linux contributor; Fedora Security
Team and Server Working Group member
● Has a terrible domain name purchase habit
(please, no ideas for domain names today)
Holistic
characterized by comprehension of the
parts of something as intimately
interconnected and explicable only by
reference to the whole
-- Oxford English Dictionary
The holistic approach for
humans considers a person
to be made of a body, a
mind, and a spirit.
Image credit: Pixabay
The holistic approach for
OpenStack considers
a cloud to be made of
servers, software, and a
business goal.
A holistic approach to security
involves people, processes,
and technologies working in
tandem.
“The whole is greater
than the sum of its parts,
especially in the case of OpenStack.”
-- (partially) Aristotle
Image credit: Wikipedia
How does this apply to
securing an OpenStack
cloud?
Let’s do a quick security
refresher.
Assume that attackers
will get inside eventually.
Image credit: Pixabay
Attackers are on offense.
They can be wrong many times.
Defenders can only be wrong
once for a breach to occur.
Securing only the outer perimeter
is not sufficient.
We must secure our OpenStack cloud.
We need to go deeper.
We just bought an expensive firewall for
the perimeter. Isn’t that enough?
(no caption necessary)
Build small security improvements
at multiple layers.*
* This is the cornerstone of defense-in-depth.
Individually, these changes may
not seem to have much value.
All of these changes create a
strong, valuable security strategy
when they are added together.
Let’s get to the good stuff.
Image credit: Pexels
Work from the outside in
(just like you would at a fancy dinner)
Image credit: Wikipedia
Four layers
Outer perimeter
Control and data planes
Control plane deep dive:
OpenStack services and backend services
OpenStack services deep dive
Image credit: imageme (Flickr)
The outer perimeter
Image credit: Pixabay
OUTER PERIMETER SECURITY GOAL:
Convince your attackers that
it’s easier to attack someone
else’s cloud
Key concepts
Make it expensive for attackers to
breach your perimeter defense
When they do make it through,
ensure that you know about it
immediately
Perimeters usually have openings
on the outside and inside --
secure both of them
Tactical
objectives
Require a VPN for access from
external networks
Segregate internal networks using
a firewall or an internally-facing
VPN
Monitor all logins (successful and
unsuccessful) for unusual activity
Track bandwidth usage trends
using netflow data
Secure the perimeter
VPN
Internet Corporate network
Firewall
Log collector Alert system
Netflow collector
Auth system
Control and data planes
Image credit: Pixabay
Control and data plane
Control plane
keystone, nova, glance,
cinder, neutron, horizon,
rabbitmq, mysql,
memcached
Data plane
Hypervisors and
tenant-built items (VMs,
containers, networks,
storage)
CONTROL/DATA PLANES SECURITY GOAL:
Keep the inner workings
of your OpenStack cloud
separated from
tenant infrastructure
Key concepts
Tenant infrastructure should have
extremely limited access to the
control plane, and vice versa
A misconfigured tenant VM could
open a wide hole in your secure
network
Protect your cloud from VM exit
exploits that allow attackers to
gain hypervisor access
Tactical
objectives
Separate control plane,
hypervisors and tenant
infrastructure with VLANs and
strict firewall rules (and monitor
dropped packets)
Use SELinux or AppArmor on
hypervisors to reduce the impact
of VM and container exit exploits
Hypervisor
Linux Security Module refresher
Three popular implementations:
SELinux, AppArmor, and TOMOYO
sVirt (in libvirt) ensures that all
processes are labeled properly
(SELinux) or have profiles configured
(AppArmor)
VM exit exploits are confined in most
situations
Tenant VM
Storage Network
Linux Security Module
Do not disable
SELinux or AppArmor
on your hypervisors.
(Seriously. Leave it enabled.)
Control plane deep dive:
OpenStack and backend services
Image credit: Wikipedia
CONTROL PLANE SECURITY GOAL:
Heavily restrict lateral
movement and restrict access
to the “crown jewels”
“crown jewels” are the databases and message queues
in your OpenStack cloud
Control plane deep dive
OpenStack services
keystone, nova, glance,
cinder, neutron, horizon
Backend services
mysql, rabbitmq,
memcached, syslog
The “crown jewels” are here
The map to the “crown
jewels” is here
Key concepts
Allow the least amount of access
possible from the OpenStack
services to backend services
Further restrict access to specific
ports, sources, and destinations
Deploy services into containers to
apply fine-tuned network and
process restrictions
Tactical
objectives
Use a load balancer or firewall to
create a “choke point” between
OpenStack and backend services
Monitor messaging and database
performance closely to look for
anomalies or unauthorized access
Use unique credentials for each
MySQL database and RabbitMQ
virtual host
OpenStack services deep dive
Image credit: Wikipedia
OPENSTACK SERVICES SECURITY GOAL:
Know what valid communication
looks like and alert on
everything else
OpenStack has many (predictable) interactions
Key concepts
OpenStack services are heavily
interconnected, but the
connections are predictable
Limit access between OpenStack
services and monitor any invalid
questions
Tactical
objectives
Use iptables rules to limit access
between OpenStack services; alert
on any invalid connections
Give each service a different
keystone service account (with
different credentials)
Monitor closely for high
bandwidth usage and high
connection counts
Let’s wrap up
Analyze.
Isolate.
Monitor.
Repeat.
These small security changes
add up to a strong defense
Image credit: Wikipedia
Try OpenStack-Ansible
OpenStack-Ansible deploys
enterprise-grade OpenStack clouds
using Ansible.
Security and reliability are two of the
core priorities for the project. Most of
the security changes in this talk are
already implemented.
Learn more:
http://bit.ly/openstack-ansible
RACKSPACE PRIVATE CLOUD
POWERED BY OPENSTACK®
Learn more about our
proven operational expertise,
industry-leading reliability,
and OpenStack Everywhere.
Join us at the Rackspace booth (A22)
in the OpenStack Marketplace.
RACKSPACE INVENTED
OPENSTACK® – NOW WE'RE
PERFECTING IT
Thank you!
Major Hayden
@majorhayden
major.hayden@rackspace.com
Photo credit: bastiend (Flickr)

More Related Content

What's hot

Setting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab CloudSetting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab Cloud
Fernando Lopez Aguilar
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
Giuseppe Paterno'
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE Lab
FIWARE
 
Join FIWARE Lab
Join FIWARE LabJoin FIWARE Lab
Join FIWARE Lab
Federico Michele Facca
 
OpenStack Introduction
OpenStack IntroductionOpenStack Introduction
OpenStack Introduction
Roy Gilad
 
Fiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environmentFiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environment
Miguel García González
 
FIWARE Lab
FIWARE LabFIWARE Lab
FIWARE Lab
Miguel González
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
Kuberton
 
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
Edureka!
 
Introduction Openstack
Introduction OpenstackIntroduction Openstack
Introduction Openstack
Ranjith Kumar
 
Openstack101 - Introduction to OpenStack
Openstack101 - Introduction to OpenStackOpenstack101 - Introduction to OpenStack
Openstack101 - Introduction to OpenStack
vinoth kumar selvaraj
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
Jayaprakash R
 
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
XHANI TRUNGU
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123	CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123	CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
Cisco DevNet
 
Cisco deploying openstack with UCS
Cisco deploying openstack with UCSCisco deploying openstack with UCS
Cisco deploying openstack with UCS
solarisyougood
 
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
Edureka!
 
OpenStack Architecture: Past and Future
OpenStack Architecture: Past and FutureOpenStack Architecture: Past and Future
OpenStack Architecture: Past and Future
Ken Pepple
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
CREATE-NET
 
Keystone Updates - Kilo Edition
Keystone Updates - Kilo EditionKeystone Updates - Kilo Edition
Keystone Updates - Kilo Edition
OpenStack Foundation
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
Keith Tobin
 

What's hot (20)

Setting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab CloudSetting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab Cloud
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond Firewalls
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE Lab
 
Join FIWARE Lab
Join FIWARE LabJoin FIWARE Lab
Join FIWARE Lab
 
OpenStack Introduction
OpenStack IntroductionOpenStack Introduction
OpenStack Introduction
 
Fiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environmentFiware cloud capabilities_and_setting_up_your_environment
Fiware cloud capabilities_and_setting_up_your_environment
 
FIWARE Lab
FIWARE LabFIWARE Lab
FIWARE Lab
 
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 Cloud-native applications with Java and Kubernetes - Yehor Volkov Cloud-native applications with Java and Kubernetes - Yehor Volkov
Cloud-native applications with Java and Kubernetes - Yehor Volkov
 
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
OpenStack Tutorial For Beginners | OpenStack Tutorial | OpenStack Training | ...
 
Introduction Openstack
Introduction OpenstackIntroduction Openstack
Introduction Openstack
 
Openstack101 - Introduction to OpenStack
Openstack101 - Introduction to OpenStackOpenstack101 - Introduction to OpenStack
Openstack101 - Introduction to OpenStack
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
 
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...Open Source Private Cloud Management with OpenStack and Security Evaluation w...
Open Source Private Cloud Management with OpenStack and Security Evaluation w...
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123	CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123	CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
 
Cisco deploying openstack with UCS
Cisco deploying openstack with UCSCisco deploying openstack with UCS
Cisco deploying openstack with UCS
 
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
OpenStack Training | OpenStack Tutorial For Beginners | OpenStack Certificati...
 
OpenStack Architecture: Past and Future
OpenStack Architecture: Past and FutureOpenStack Architecture: Past and Future
OpenStack Architecture: Past and Future
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
 
Keystone Updates - Kilo Edition
Keystone Updates - Kilo EditionKeystone Updates - Kilo Edition
Keystone Updates - Kilo Edition
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
 

Viewers also liked

Code to-cloud toolchain-LA OpenStack meet up-20140626
Code to-cloud toolchain-LA OpenStack meet up-20140626Code to-cloud toolchain-LA OpenStack meet up-20140626
Code to-cloud toolchain-LA OpenStack meet up-20140626
aedocw
 
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Major Hayden
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong Kong
Robert Clark
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Peter Souter
 
OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)
JeSam Kim
 
Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016
Opsta
 
How to Develop OpenStack
How to Develop OpenStackHow to Develop OpenStack
How to Develop OpenStack
Mehdi Ali Soltani
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
Excella
 
OpenStack Report
OpenStack ReportOpenStack Report
OpenStack Report
yoshihisa sakamoto
 
Accelerate your business and reduce cost with OpenStack
Accelerate your business and reduce cost with OpenStackAccelerate your business and reduce cost with OpenStack
Accelerate your business and reduce cost with OpenStack
Opsta
 
Logging/Request Tracing in Distributed Environment
Logging/Request Tracing in Distributed EnvironmentLogging/Request Tracing in Distributed Environment
Logging/Request Tracing in Distributed Environment
APNIC
 
OpenStack and OpenDaylight Workshop: ONUG Spring 2014
OpenStack and OpenDaylight Workshop: ONUG Spring 2014OpenStack and OpenDaylight Workshop: ONUG Spring 2014
OpenStack and OpenDaylight Workshop: ONUG Spring 2014
mestery
 
오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기
영우 김
 
Training Ensimag OpenStack 2016
Training Ensimag OpenStack 2016Training Ensimag OpenStack 2016
Training Ensimag OpenStack 2016
Bruno Cornec
 
OpenStack and DevOps - DevOps Meetup
OpenStack and DevOps - DevOps MeetupOpenStack and DevOps - DevOps Meetup
OpenStack and DevOps - DevOps Meetup
Opsta
 
Integration testing for salt states using aws ec2 container service
Integration testing for salt states using aws ec2 container serviceIntegration testing for salt states using aws ec2 container service
Integration testing for salt states using aws ec2 container service
SaltStack
 
Openstack Installation (ver. liberty)
Openstack Installation (ver. liberty)Openstack Installation (ver. liberty)
Openstack Installation (ver. liberty)
Eggy Cheng
 
Openstack meetup: NFV and Openstack
Openstack meetup: NFV and OpenstackOpenstack meetup: NFV and Openstack
Openstack meetup: NFV and Openstack
Marie-Paule Odini
 
OpenStack and private cloud
OpenStack and private cloudOpenStack and private cloud
OpenStack and private cloud
SK Telecom
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Giuseppe Paterno'
 

Viewers also liked (20)

Code to-cloud toolchain-LA OpenStack meet up-20140626
Code to-cloud toolchain-LA OpenStack meet up-20140626Code to-cloud toolchain-LA OpenStack meet up-20140626
Code to-cloud toolchain-LA OpenStack meet up-20140626
 
Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)Be an inspiration, not an impostor (Texas Linux Fest 2015)
Be an inspiration, not an impostor (Texas Linux Fest 2015)
 
Hypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong KongHypervisor Security - OpenStack Summit Hong Kong
Hypervisor Security - OpenStack Summit Hong Kong
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
 
OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)
 
Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016Introduction to OpenStack : Barcamp Bangkhen 2016
Introduction to OpenStack : Barcamp Bangkhen 2016
 
How to Develop OpenStack
How to Develop OpenStackHow to Develop OpenStack
How to Develop OpenStack
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
 
OpenStack Report
OpenStack ReportOpenStack Report
OpenStack Report
 
Accelerate your business and reduce cost with OpenStack
Accelerate your business and reduce cost with OpenStackAccelerate your business and reduce cost with OpenStack
Accelerate your business and reduce cost with OpenStack
 
Logging/Request Tracing in Distributed Environment
Logging/Request Tracing in Distributed EnvironmentLogging/Request Tracing in Distributed Environment
Logging/Request Tracing in Distributed Environment
 
OpenStack and OpenDaylight Workshop: ONUG Spring 2014
OpenStack and OpenDaylight Workshop: ONUG Spring 2014OpenStack and OpenDaylight Workshop: ONUG Spring 2014
OpenStack and OpenDaylight Workshop: ONUG Spring 2014
 
오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기오픈스택 멀티노드 설치 후기
오픈스택 멀티노드 설치 후기
 
Training Ensimag OpenStack 2016
Training Ensimag OpenStack 2016Training Ensimag OpenStack 2016
Training Ensimag OpenStack 2016
 
OpenStack and DevOps - DevOps Meetup
OpenStack and DevOps - DevOps MeetupOpenStack and DevOps - DevOps Meetup
OpenStack and DevOps - DevOps Meetup
 
Integration testing for salt states using aws ec2 container service
Integration testing for salt states using aws ec2 container serviceIntegration testing for salt states using aws ec2 container service
Integration testing for salt states using aws ec2 container service
 
Openstack Installation (ver. liberty)
Openstack Installation (ver. liberty)Openstack Installation (ver. liberty)
Openstack Installation (ver. liberty)
 
Openstack meetup: NFV and Openstack
Openstack meetup: NFV and OpenstackOpenstack meetup: NFV and Openstack
Openstack meetup: NFV and Openstack
 
OpenStack and private cloud
OpenStack and private cloudOpenStack and private cloud
OpenStack and private cloud
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
 

Similar to Holistic Security for OpenStack Clouds

Securing OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleSecuring OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with Ansible
Major Hayden
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
Cybera Inc.
 
Getting started with open stack
Getting started with open stackGetting started with open stack
Getting started with open stack
Dan Radez
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ Kalasalingam
Beny Raja
 
Openstack
OpenstackOpenstack
Openstack
Samip Shah
 
Cloud computing and bioinformatics
Cloud computing and bioinformaticsCloud computing and bioinformatics
Cloud computing and bioinformatics
Enis Afgan
 
GDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack IntroductionGDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack Introduction
Victor Morales
 
An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017
Haim Ateya
 
What is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutionsWhat is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutions
Sasha Lazarevic
 
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
DevDay Da Nang
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
Iben Rodriguez
 
Hybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudHybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper Cloud
Eshed Gal-Or
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
fanc1985
 
Make your OpenStack Cloud Self-Defending with VESPA!
Make your OpenStack Cloud Self-Defending with VESPA!Make your OpenStack Cloud Self-Defending with VESPA!
Make your OpenStack Cloud Self-Defending with VESPA!
mlacostma
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Cloud Infrastructure
Cloud InfrastructureCloud Infrastructure
Cloud Infrastructure
Kamruddin Nur
 
2015 04 bio it world
2015 04 bio it world2015 04 bio it world
2015 04 bio it world
Chris Dwan
 
Openstack Pakistan intro
Openstack Pakistan introOpenstack Pakistan intro
Openstack Pakistan intro
Affan Syed
 
As34269277
As34269277As34269277
As34269277
IJERA Editor
 

Similar to Holistic Security for OpenStack Clouds (20)

Securing OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with AnsibleSecuring OpenStack and Beyond with Ansible
Securing OpenStack and Beyond with Ansible
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
Getting started with open stack
Getting started with open stackGetting started with open stack
Getting started with open stack
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ Kalasalingam
 
Openstack
OpenstackOpenstack
Openstack
 
Cloud computing and bioinformatics
Cloud computing and bioinformaticsCloud computing and bioinformatics
Cloud computing and bioinformatics
 
GDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack IntroductionGDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack Introduction
 
An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017An Intrudction to OpenStack 2017
An Intrudction to OpenStack 2017
 
What is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutionsWhat is OpenStack and the added value of IBM solutions
What is OpenStack and the added value of IBM solutions
 
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
[DevDay 2016] OpenStack and approaches for new users - Speaker: Chi Le – Head...
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
 
Hybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudHybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper Cloud
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Effectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing ParadigmEffectively and Securely Using the Cloud Computing Paradigm
Effectively and Securely Using the Cloud Computing Paradigm
 
Make your OpenStack Cloud Self-Defending with VESPA!
Make your OpenStack Cloud Self-Defending with VESPA!Make your OpenStack Cloud Self-Defending with VESPA!
Make your OpenStack Cloud Self-Defending with VESPA!
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Cloud Infrastructure
Cloud InfrastructureCloud Infrastructure
Cloud Infrastructure
 
2015 04 bio it world
2015 04 bio it world2015 04 bio it world
2015 04 bio it world
 
Openstack Pakistan intro
Openstack Pakistan introOpenstack Pakistan intro
Openstack Pakistan intro
 
As34269277
As34269277As34269277
As34269277
 

More from Major Hayden

Continuous Kernel Integration
Continuous Kernel IntegrationContinuous Kernel Integration
Continuous Kernel Integration
Major Hayden
 
I was too burned out to name this talk
I was too burned out to name this talkI was too burned out to name this talk
I was too burned out to name this talk
Major Hayden
 
Cookies for kernel developers
Cookies for kernel developersCookies for kernel developers
Cookies for kernel developers
Major Hayden
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Major Hayden
 
Grow your community: Inspire an Impostor
Grow your community: Inspire an ImpostorGrow your community: Inspire an Impostor
Grow your community: Inspire an Impostor
Major Hayden
 
Flexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleFlexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-Ansible
Major Hayden
 
Taming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San AntonioTaming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San Antonio
Major Hayden
 
Taming the Technical Talk
Taming the Technical TalkTaming the Technical Talk
Taming the Technical Talk
Major Hayden
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015
Major Hayden
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
Major Hayden
 
Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)
Major Hayden
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
Major Hayden
 
Cloud Data Security
Cloud Data SecurityCloud Data Security
Cloud Data Security
Major Hayden
 
ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24
Major Hayden
 

More from Major Hayden (14)

Continuous Kernel Integration
Continuous Kernel IntegrationContinuous Kernel Integration
Continuous Kernel Integration
 
I was too burned out to name this talk
I was too burned out to name this talkI was too burned out to name this talk
I was too burned out to name this talk
 
Cookies for kernel developers
Cookies for kernel developersCookies for kernel developers
Cookies for kernel developers
 
Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017Deploying Kubernetes without scaring off your security team - KubeCon 2017
Deploying Kubernetes without scaring off your security team - KubeCon 2017
 
Grow your community: Inspire an Impostor
Grow your community: Inspire an ImpostorGrow your community: Inspire an Impostor
Grow your community: Inspire an Impostor
 
Flexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-AnsibleFlexible, simple deployments with OpenStack-Ansible
Flexible, simple deployments with OpenStack-Ansible
 
Taming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San AntonioTaming the Technical Talk - OWASP San Antonio
Taming the Technical Talk - OWASP San Antonio
 
Taming the Technical Talk
Taming the Technical TalkTaming the Technical Talk
Taming the Technical Talk
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015
 
Five things I learned about information security
Five things I learned about information securityFive things I learned about information security
Five things I learned about information security
 
Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)Be an inspiration, not an impostor (Fedora Flock 2015)
Be an inspiration, not an impostor (Fedora Flock 2015)
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
 
Cloud Data Security
Cloud Data SecurityCloud Data Security
Cloud Data Security
 
ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24ISACA Cloud Security Presentation 2013-09-24
ISACA Cloud Security Presentation 2013-09-24
 

Recently uploaded

Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 

Recently uploaded (20)

Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 

Holistic Security for OpenStack Clouds

  • 1. Holistic Security for OpenStack Clouds Major Hayden Principal Architect, Rackspace @majorhayden Photo credit: bastiend (Flickr)
  • 3. Security feels like this Image credit: Wikipedia
  • 5. Securing OpenStack can feel like taking a trip to the Upside Down.
  • 6. It doesn’t have to be that way (even with something as complex as OpenStack) Image credit: Pixabay
  • 7. The key is taking the right approach to secure a complex system.
  • 8. Major Hayden Principal Architect ● At Rackspace since 2006 ● Working on OpenStack since 2012 ● Focused on information security for Rackspace Private Cloud ● Fedora Linux contributor; Fedora Security Team and Server Working Group member ● Has a terrible domain name purchase habit (please, no ideas for domain names today)
  • 9. Holistic characterized by comprehension of the parts of something as intimately interconnected and explicable only by reference to the whole -- Oxford English Dictionary
  • 10. The holistic approach for humans considers a person to be made of a body, a mind, and a spirit. Image credit: Pixabay
  • 11. The holistic approach for OpenStack considers a cloud to be made of servers, software, and a business goal.
  • 12. A holistic approach to security involves people, processes, and technologies working in tandem.
  • 13. “The whole is greater than the sum of its parts, especially in the case of OpenStack.” -- (partially) Aristotle Image credit: Wikipedia
  • 14. How does this apply to securing an OpenStack cloud? Let’s do a quick security refresher.
  • 15. Assume that attackers will get inside eventually. Image credit: Pixabay
  • 16. Attackers are on offense. They can be wrong many times. Defenders can only be wrong once for a breach to occur.
  • 17. Securing only the outer perimeter is not sufficient.
  • 18. We must secure our OpenStack cloud. We need to go deeper.
  • 19. We just bought an expensive firewall for the perimeter. Isn’t that enough?
  • 21. Build small security improvements at multiple layers.* * This is the cornerstone of defense-in-depth.
  • 22. Individually, these changes may not seem to have much value. All of these changes create a strong, valuable security strategy when they are added together.
  • 23. Let’s get to the good stuff. Image credit: Pexels
  • 24. Work from the outside in (just like you would at a fancy dinner) Image credit: Wikipedia
  • 25. Four layers Outer perimeter Control and data planes Control plane deep dive: OpenStack services and backend services OpenStack services deep dive Image credit: imageme (Flickr)
  • 26. The outer perimeter Image credit: Pixabay
  • 27. OUTER PERIMETER SECURITY GOAL: Convince your attackers that it’s easier to attack someone else’s cloud
  • 28. Key concepts Make it expensive for attackers to breach your perimeter defense When they do make it through, ensure that you know about it immediately Perimeters usually have openings on the outside and inside -- secure both of them
  • 29. Tactical objectives Require a VPN for access from external networks Segregate internal networks using a firewall or an internally-facing VPN Monitor all logins (successful and unsuccessful) for unusual activity Track bandwidth usage trends using netflow data
  • 30. Secure the perimeter VPN Internet Corporate network Firewall Log collector Alert system Netflow collector Auth system
  • 31. Control and data planes Image credit: Pixabay
  • 32. Control and data plane Control plane keystone, nova, glance, cinder, neutron, horizon, rabbitmq, mysql, memcached Data plane Hypervisors and tenant-built items (VMs, containers, networks, storage)
  • 33. CONTROL/DATA PLANES SECURITY GOAL: Keep the inner workings of your OpenStack cloud separated from tenant infrastructure
  • 34. Key concepts Tenant infrastructure should have extremely limited access to the control plane, and vice versa A misconfigured tenant VM could open a wide hole in your secure network Protect your cloud from VM exit exploits that allow attackers to gain hypervisor access
  • 35. Tactical objectives Separate control plane, hypervisors and tenant infrastructure with VLANs and strict firewall rules (and monitor dropped packets) Use SELinux or AppArmor on hypervisors to reduce the impact of VM and container exit exploits
  • 36. Hypervisor Linux Security Module refresher Three popular implementations: SELinux, AppArmor, and TOMOYO sVirt (in libvirt) ensures that all processes are labeled properly (SELinux) or have profiles configured (AppArmor) VM exit exploits are confined in most situations Tenant VM Storage Network Linux Security Module
  • 37. Do not disable SELinux or AppArmor on your hypervisors. (Seriously. Leave it enabled.)
  • 38. Control plane deep dive: OpenStack and backend services Image credit: Wikipedia
  • 39. CONTROL PLANE SECURITY GOAL: Heavily restrict lateral movement and restrict access to the “crown jewels” “crown jewels” are the databases and message queues in your OpenStack cloud
  • 40. Control plane deep dive OpenStack services keystone, nova, glance, cinder, neutron, horizon Backend services mysql, rabbitmq, memcached, syslog The “crown jewels” are here The map to the “crown jewels” is here
  • 41. Key concepts Allow the least amount of access possible from the OpenStack services to backend services Further restrict access to specific ports, sources, and destinations Deploy services into containers to apply fine-tuned network and process restrictions
  • 42. Tactical objectives Use a load balancer or firewall to create a “choke point” between OpenStack and backend services Monitor messaging and database performance closely to look for anomalies or unauthorized access Use unique credentials for each MySQL database and RabbitMQ virtual host
  • 43. OpenStack services deep dive Image credit: Wikipedia
  • 44. OPENSTACK SERVICES SECURITY GOAL: Know what valid communication looks like and alert on everything else
  • 45. OpenStack has many (predictable) interactions
  • 46. Key concepts OpenStack services are heavily interconnected, but the connections are predictable Limit access between OpenStack services and monitor any invalid questions
  • 47. Tactical objectives Use iptables rules to limit access between OpenStack services; alert on any invalid connections Give each service a different keystone service account (with different credentials) Monitor closely for high bandwidth usage and high connection counts
  • 50. These small security changes add up to a strong defense Image credit: Wikipedia
  • 51. Try OpenStack-Ansible OpenStack-Ansible deploys enterprise-grade OpenStack clouds using Ansible. Security and reliability are two of the core priorities for the project. Most of the security changes in this talk are already implemented. Learn more: http://bit.ly/openstack-ansible
  • 52. RACKSPACE PRIVATE CLOUD POWERED BY OPENSTACK® Learn more about our proven operational expertise, industry-leading reliability, and OpenStack Everywhere. Join us at the Rackspace booth (A22) in the OpenStack Marketplace. RACKSPACE INVENTED OPENSTACK® – NOW WE'RE PERFECTING IT