Uploaded bybrian_chong
PPTX, PDF1,231 views

Openstack security presentation 2013

Symantec is building a consolidated cloud platform using OpenStack to host its SaaS applications. It is analyzing and improving OpenStack's security posture. Key security concepts for OpenStack's Grizzly release include centralized management, network segmentation, token/PKI authentication, distributed policy management, and auditing/compliance. Areas of focus for securing an OpenStack deployment include message queuing, database security, certificate management, distribution verification, and two-factor authentication.

Designβ—¦

Embed presentation

Downloaded 59 times
Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist 1
Agenda β€’ What is Symantec doing? β€’ Security Concepts for Grizzly Release – Centralized Software Defined Data Center Management – Network Segmentation – Token/PKI Based Authentication – Distributed Policy Management – Auditing and Compliance β€’ Areas of focus for Securing a OpenStack Deployment 2
About Symantec and Us About Symantec About Brian Chong β€’ Making the world a safer place… β€’ Enterprise system and data protection β€’ Norton branded consumer protection (not just Antivirus) β€’ Tackling the big problems β€’ Pioneered the Big Data approach to malware detection β€’ Significant cloud presence (Norton, MessageLabs, OCSP, etc.) β€’ Infrastructure Architect for our OpenStack efforts β€’ Security & Network Focused β€’ Interested in securing OpenStack at all tiers SYMC Confidential 3
What is Symantec Doing? β€’ We are building a consolidated cloud platform that provides infrastructure and platform services to host Symantec SaaS applications – An exciting β€œgreenfield” opportunity to re-invent our cloud infrastructure with strong executive leadership support β€’ Our development model is to use open source components as building blocks – Identify capability gaps and contribute back to community β€’ We have selected OpenStack as one of the underlying infrastructure services layers β€’ We plan to analyze and improve the overall security posture of OpenStack components β€’ We are starting small, but will scale to thousands of nodes across multiple data centers Cloud Platform Engineering 4
Scope of Investigation β€’ Version of OpenStack : Grizzly β€’ Components : Nova, Neutron, Glance, Cinder, Keystone, Swift, Horizon β€’ General : – Database : MySQL – AMQP : RabbitMQ – Hypervisor : KVM – Operating System : Ubuntu Cloud Platform Engineering 5
Security on OpenStack : Traditional Model (Defense in Depth) Application/Host Security Firewall Rules Load Balancer Filters Router ACLs 6
Security on OpenStack : Software Defined Data Center β€’ Centralized Data Model for control access – All Control points are accessible by the applications that control the Data Center for elasticity of the service – All Services have access to change the system in relatively large ways (Compute, Network, Storage) to manage service SLAs – Layered Security is now much more difficult than before, which means stronger pinpoint security is more critical than before β€’ Host based controls become more critical – Operating System – Hypervisor / Virtualization Driver – Console 7
Security on OpenStack : Centralized Model Security Sphere Security Sphere N Software Defined API Application Security Firewall Rules Load Balancer Filters Router ACLs 8
Security on OpenStack : Network Segmentation β€’ BMC and IPMI functions : Control of Hardware components – Deny All except to specific participating Deployment Servers β€’ Host/Admin : Control of Operating System – Deny All except to specific Jump Servers β€’ Service API/Messaging : Control of IaaS, Messaging & Database services and Authentication – Deny All except to each physical interface on participating Servers β€’ Private/Storage : VM to VM traffic and Storage or internal PaaS Services – Controlled by local Firewall Access (iptables per host or external Firewall) β€’ Public : External Access outside of the Cluster – Controlled by Gateway/Load Balancer/Firewall 9
Security on OpenStack : Token/PKI Based Authentication β€’ Token Expirations (assumes Caching) – Correlation of all changes in the distributed model with a issued Token β€’ PKI Token Management – Signing Certificate Expiration – Signing Engine (HSM or SW) – Root CA Distribution β€’ SSL Service Management – SSL Certificate Expiration for Services – Root CA Distribution – Private key generation and Management 10
Security on OpenStack : Distributed Policy Model β€’ Definition of different roles and policies are defined in Keystone per tenant and globally β€’ Each service has a policy.json file that lists out which defined role for that specific service has the capability to execute β€’ Each service node should be synchronized for their specific policy files or a multi-service security model can be used for the same type of service – Each upgrade has to maintain and define new roles that are included in every release 11
Security on OpenStack : Distributed Policy Model Nova policy.jso n Role Definition KeyStone Role Name Neutron policy.jso n Role Definition 12
Security on OpenStack : Auditing and Compliance β€’ Auditing – Sources : Message Queues, Log Files, Database β€’ Message Queue Event Validation process β€’ Log Parsers for Event Handling and Threat Detection β€’ Database Triggers for Security Events β€’ Compliance – Role to Policy Validation – Code Patching and Upgrade Versioning – User Information (Name, Password, Roles, etc) – IT Mgmt (ISO 27001, FISMA, FedRamp, etc) – PKI Key Management 13
Security on OpenStack : Auditing and Compliance β€’ Example : Boot a Virtual Machine – Keystone (Log, Database) – Nova (Log, Message, Database) – Glance (Log, Database) – Neutron (Log, Message, Database) – Host (Log) – Horizon (Log, Database) β€’ All of these events must be correlated to make sure that the proper rules and privileges were used during each command and against a CMDB to validate authorization 14
Areas of focus for Securing a OpenStack Deployment β€’ Message Server and Queuing – Signing all Messages and Validating Authorization β€’ Database Server and Instances – Encryption of Critical Columns β€’ Certificate Management – Overall Management and HSM Integration β€’ Distribution Verification – Signed Policy Distribution and Loading into all Services β€’ 2 Factor Authentication / Single Sign On – Token Authentication with Single Sign On through Horizon 15
Questions? 16

More Related Content

PPTX
OpenStack Security Project
byTravis McPeak
Β 
PDF
OpenStack: Security Beyond Firewalls
byGiuseppe Paterno'
Β 
PDF
OpenStack Security
byopenstackindia
Β 
PDF
OpenStack keystone identity service
byopenstackindia
Β 
PPT
Security Issues in OpenStack
byoldbam
Β 
PDF
CIS13: OpenStack API Security
byCloudIDSummit
Β 
PPT
Shmoocon 2013 - OpenStack Security Brief
byopenfly
Β 
PDF
Holistic Security for OpenStack Clouds
byMajor Hayden
Β 
OpenStack Security Project
byTravis McPeak
Β 
OpenStack: Security Beyond Firewalls
byGiuseppe Paterno'
Β 
OpenStack Security
byopenstackindia
Β 
OpenStack keystone identity service
byopenstackindia
Β 
Security Issues in OpenStack
byoldbam
Β 
CIS13: OpenStack API Security
byCloudIDSummit
Β 
Shmoocon 2013 - OpenStack Security Brief
byopenfly
Β 
Holistic Security for OpenStack Clouds
byMajor Hayden
Β 

What's hot

PPTX
Building IAM for OpenStack
bySteve Martinelli
Β 
PPTX
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
byCisco DevNet
Β 
PDF
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
Β 
PDF
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
Β 
PPTX
Keystone - Openstack Identity Service
byPrasad Mukhedkar
Β 
PPT
Open Source Cloud Computing -Eucalyptus
bySameer Naik
Β 
PPTX
Setting up your virtual infrastructure using FIWARE Lab Cloud
byFernando Lopez Aguilar
Β 
PPTX
key aggregate cryptosystem for scalable data sharing in cloud
bySravan Narra
Β 
PDF
I psec cisco
byDeepak296
Β 
PPTX
Secure deduplicaton with efficient and reliable convergent
byJayakrishnan U
Β 
PPTX
Deep Dive into Keystone Tokens and Lessons Learned
byPriti Desai
Β 
PDF
Cloud Breach - Forensics Audit Planning
byValdez Ladd MBA, CISSP, CISA,
Β 
PDF
Automated Security Hardening with OpenStack-Ansible
byMajor Hayden
Β 
PPTX
Key aggregate cryptosystem for scalable data sharing in cloud storage
byMugesh Mukkandan
Β 
DOC
Key aggregate cryptosystem for scalable data sharing in cloud storage
byAdz91 Digital Ads Pvt Ltd
Β 
PPTX
Setting up your virtual infrastructure using FIWARE Lab Cloud
byFernando Lopez Aguilar
Β 
PPTX
Intro to the FIWARE Lab
byFIWARE
Β 
PDF
Join FIWARE Lab
byFederico Michele Facca
Β 
PPTX
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
bySanjana Yemajala
Β 
Building IAM for OpenStack
bySteve Martinelli
Β 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
byCisco DevNet
Β 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
Β 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
Β 
Keystone - Openstack Identity Service
byPrasad Mukhedkar
Β 
Open Source Cloud Computing -Eucalyptus
bySameer Naik
Β 
Setting up your virtual infrastructure using FIWARE Lab Cloud
byFernando Lopez Aguilar
Β 
key aggregate cryptosystem for scalable data sharing in cloud
bySravan Narra
Β 
I psec cisco
byDeepak296
Β 
Secure deduplicaton with efficient and reliable convergent
byJayakrishnan U
Β 
Deep Dive into Keystone Tokens and Lessons Learned
byPriti Desai
Β 
Cloud Breach - Forensics Audit Planning
byValdez Ladd MBA, CISSP, CISA,
Β 
Automated Security Hardening with OpenStack-Ansible
byMajor Hayden
Β 
Key aggregate cryptosystem for scalable data sharing in cloud storage
byMugesh Mukkandan
Β 
Key aggregate cryptosystem for scalable data sharing in cloud storage
byAdz91 Digital Ads Pvt Ltd
Β 
Setting up your virtual infrastructure using FIWARE Lab Cloud
byFernando Lopez Aguilar
Β 
Intro to the FIWARE Lab
byFIWARE
Β 
Join FIWARE Lab
byFederico Michele Facca
Β 
key aggregate cryptosystem for scalable data sharing in cloud storage abstract
bySanjana Yemajala
Β 

Similar to Openstack security presentation 2013

PPTX
Some Advanced OpenStack Overview Document
byTrungPhamVan10
Β 
PDF
cloud security lecture abcedfghigklmnopqrstucvbnm,
byarfaouisalim
Β 
PDF
Openstack 101
byKamesh Pemmaraju
Β 
PPTX
Open stack presentation
byFrikha Nour
Β 
PDF
Openstack 101 by Jason Kalai
byMyNOG
Β 
PDF
AmΓ©liorer OpenStack avec les technologies Intel
byOdinot Stanislas
Β 
PPTX
Nairobi OpenStack Meetup - July 2013
byadamnelson
Β 
PPTX
Openstack: starter level
byAlessandro Martellone
Β 
PPTX
OpenStack 101
byPriti Desai
Β 
PPTX
OpenStack 101
byAll Things Open
Β 
PPTX
Introduction Openstack
byRanjith Kumar
Β 
PDF
Openstack: security beyond firewalls
byGARL
Β 
PPT
Openstack presentation
bySankalp Jain
Β 
PPT
OpenStack - An Overview
bygraziol
Β 
PDF
Red Hat presentatie: Open stack Latest Pure Tech
byProxyServices
Β 
PDF
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
bySadique Puthen
Β 
PDF
Red Hat Cloud Infrastructure Conference 2013 - Presentation about OpenStack ...
byElos Technologies s.r.o.
Β 
PPTX
Openstack 101
byJason Kalai Arasu
Β 
PPTX
OpenStack: The Linux of Cloud hosted by LPI
byNiki Acosta
Β 
PDF
Open stack
byLuan Cestari
Β 
Some Advanced OpenStack Overview Document
byTrungPhamVan10
Β 
cloud security lecture abcedfghigklmnopqrstucvbnm,
byarfaouisalim
Β 
Openstack 101
byKamesh Pemmaraju
Β 
Open stack presentation
byFrikha Nour
Β 
Openstack 101 by Jason Kalai
byMyNOG
Β 
AmΓ©liorer OpenStack avec les technologies Intel
byOdinot Stanislas
Β 
Nairobi OpenStack Meetup - July 2013
byadamnelson
Β 
Openstack: starter level
byAlessandro Martellone
Β 
OpenStack 101
byPriti Desai
Β 
OpenStack 101
byAll Things Open
Β 
Introduction Openstack
byRanjith Kumar
Β 
Openstack: security beyond firewalls
byGARL
Β 
Openstack presentation
bySankalp Jain
Β 
OpenStack - An Overview
bygraziol
Β 
Red Hat presentatie: Open stack Latest Pure Tech
byProxyServices
Β 
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
bySadique Puthen
Β 
Red Hat Cloud Infrastructure Conference 2013 - Presentation about OpenStack ...
byElos Technologies s.r.o.
Β 
Openstack 101
byJason Kalai Arasu
Β 
OpenStack: The Linux of Cloud hosted by LPI
byNiki Acosta
Β 
Open stack
byLuan Cestari
Β 

Recently uploaded

PPTX
iTools 4.5.1.9 Crack for macOS 100% Working 2026 Fully Unlocked pptx
bysohlakhnn
Β 
PPTX
Wondershare Filmora 15.0.11 Crack for Mac Key Full Download [Latest] pptx
bysanaolikhnn
Β 
PPTX
Driver Easy Pro Key 7.1.0.2641 Full Mac Crack Free Activated Download [2026]....
bysanaolikhnn
Β 
PPTX
iStat Menus 7.20 Crack for MacOS 2026 Full Version [Latest] pptx
bysohlakhnn
Β 
PPTX
AnyTrans for iOS 8.9.14.20251127 With Crack for MacOS [Latest] pptx
bysohlakhnn
Β 
PPTX
Soundtoys Mac v5.5.5.0 Crack for MacOS Full Version [Latest] pptx
byponikhnn
Β 
PPT
THEORY OF ARCHITECTURE - LECTURE NOTES FOR REFERENCE
bykanakatharak1
Β 
PDF
Advanced Computational Intelligence: An International Journal (ACII)
byaciijournal
Β 
PPTX
Hunt for the wilderpeople 2024-12-09 12_11_42.pptx
bynoahjoyce210
Β 
PDF
mahad home wifi 6 setup presentation system.pdf
byVinMao1
Β 
PPTX
coverpage for acr on professional code of ethics.pptx
byMariaTeresitaArandia1
Β 
PPTX
Chapter4_Initiation_of_Sediment_Motion_v2[1].pptx
byBedassaDessalegn3
Β 
PPTX
Staffing Board - MICU1111111111111111111
byaustinpuckett2808
Β 
PPTX
mitochondiral disorders pdf with voice over.pptx
byrawad1693
Β 
PDF
Graduate Portfolio _ surabhi vashisht.pdf
bysvashish05
Β 
PDF
Graphic Design Portfolio 2025 - Raghu Sharma (Marketing Designer)
byRaghuraj Sharma
Β 
PDF
Architect Saleem khattak (Archi) Portfolio
byArSaleemktk
Β 
PDF
Cultural dimensions and global web user interface design
byfiorellacastanedat
Β 
PDF
WEDDING STYLING / INTERIOR DESIGN PORTFOLIO 2025 SK
byShahira K
Β 
PPTX
Mastering Unity in Photography: Techniques for Visual Harmony
bySam Smith
Β 
iTools 4.5.1.9 Crack for macOS 100% Working 2026 Fully Unlocked pptx
bysohlakhnn
Β 
Wondershare Filmora 15.0.11 Crack for Mac Key Full Download [Latest] pptx
bysanaolikhnn
Β 
Driver Easy Pro Key 7.1.0.2641 Full Mac Crack Free Activated Download [2026]....
bysanaolikhnn
Β 
iStat Menus 7.20 Crack for MacOS 2026 Full Version [Latest] pptx
bysohlakhnn
Β 
AnyTrans for iOS 8.9.14.20251127 With Crack for MacOS [Latest] pptx
bysohlakhnn
Β 
Soundtoys Mac v5.5.5.0 Crack for MacOS Full Version [Latest] pptx
byponikhnn
Β 
THEORY OF ARCHITECTURE - LECTURE NOTES FOR REFERENCE
bykanakatharak1
Β 
Advanced Computational Intelligence: An International Journal (ACII)
byaciijournal
Β 
Hunt for the wilderpeople 2024-12-09 12_11_42.pptx
bynoahjoyce210
Β 
mahad home wifi 6 setup presentation system.pdf
byVinMao1
Β 
coverpage for acr on professional code of ethics.pptx
byMariaTeresitaArandia1
Β 
Chapter4_Initiation_of_Sediment_Motion_v2[1].pptx
byBedassaDessalegn3
Β 
Staffing Board - MICU1111111111111111111
byaustinpuckett2808
Β 
mitochondiral disorders pdf with voice over.pptx
byrawad1693
Β 
Graduate Portfolio _ surabhi vashisht.pdf
bysvashish05
Β 
Graphic Design Portfolio 2025 - Raghu Sharma (Marketing Designer)
byRaghuraj Sharma
Β 
Architect Saleem khattak (Archi) Portfolio
byArSaleemktk
Β 
Cultural dimensions and global web user interface design
byfiorellacastanedat
Β 
WEDDING STYLING / INTERIOR DESIGN PORTFOLIO 2025 SK
byShahira K
Β 
Mastering Unity in Photography: Techniques for Visual Harmony
bySam Smith
Β 

Openstack security presentation 2013

  • 1.
    Security on OpenStack 11/7/2013 BrianChong – Global Technology Strategist 1
  • 2.
    Agenda β€’ What isSymantec doing? β€’ Security Concepts for Grizzly Release – Centralized Software Defined Data Center Management – Network Segmentation – Token/PKI Based Authentication – Distributed Policy Management – Auditing and Compliance β€’ Areas of focus for Securing a OpenStack Deployment 2
  • 3.
    About Symantec andUs About Symantec About Brian Chong β€’ Making the world a safer place… β€’ Enterprise system and data protection β€’ Norton branded consumer protection (not just Antivirus) β€’ Tackling the big problems β€’ Pioneered the Big Data approach to malware detection β€’ Significant cloud presence (Norton, MessageLabs, OCSP, etc.) β€’ Infrastructure Architect for our OpenStack efforts β€’ Security & Network Focused β€’ Interested in securing OpenStack at all tiers SYMC Confidential 3
  • 4.
    What is SymantecDoing? β€’ We are building a consolidated cloud platform that provides infrastructure and platform services to host Symantec SaaS applications – An exciting β€œgreenfield” opportunity to re-invent our cloud infrastructure with strong executive leadership support β€’ Our development model is to use open source components as building blocks – Identify capability gaps and contribute back to community β€’ We have selected OpenStack as one of the underlying infrastructure services layers β€’ We plan to analyze and improve the overall security posture of OpenStack components β€’ We are starting small, but will scale to thousands of nodes across multiple data centers Cloud Platform Engineering 4
  • 5.
    Scope of Investigation β€’Version of OpenStack : Grizzly β€’ Components : Nova, Neutron, Glance, Cinder, Keystone, Swift, Horizon β€’ General : – Database : MySQL – AMQP : RabbitMQ – Hypervisor : KVM – Operating System : Ubuntu Cloud Platform Engineering 5
  • 6.
    Security on OpenStack: Traditional Model (Defense in Depth) Application/Host Security Firewall Rules Load Balancer Filters Router ACLs 6
  • 7.
    Security on OpenStack: Software Defined Data Center β€’ Centralized Data Model for control access – All Control points are accessible by the applications that control the Data Center for elasticity of the service – All Services have access to change the system in relatively large ways (Compute, Network, Storage) to manage service SLAs – Layered Security is now much more difficult than before, which means stronger pinpoint security is more critical than before β€’ Host based controls become more critical – Operating System – Hypervisor / Virtualization Driver – Console 7
  • 8.
    Security on OpenStack: Centralized Model Security Sphere Security Sphere N Software Defined API Application Security Firewall Rules Load Balancer Filters Router ACLs 8
  • 9.
    Security on OpenStack: Network Segmentation β€’ BMC and IPMI functions : Control of Hardware components – Deny All except to specific participating Deployment Servers β€’ Host/Admin : Control of Operating System – Deny All except to specific Jump Servers β€’ Service API/Messaging : Control of IaaS, Messaging & Database services and Authentication – Deny All except to each physical interface on participating Servers β€’ Private/Storage : VM to VM traffic and Storage or internal PaaS Services – Controlled by local Firewall Access (iptables per host or external Firewall) β€’ Public : External Access outside of the Cluster – Controlled by Gateway/Load Balancer/Firewall 9
  • 10.
    Security on OpenStack: Token/PKI Based Authentication β€’ Token Expirations (assumes Caching) – Correlation of all changes in the distributed model with a issued Token β€’ PKI Token Management – Signing Certificate Expiration – Signing Engine (HSM or SW) – Root CA Distribution β€’ SSL Service Management – SSL Certificate Expiration for Services – Root CA Distribution – Private key generation and Management 10
  • 11.
    Security on OpenStack: Distributed Policy Model β€’ Definition of different roles and policies are defined in Keystone per tenant and globally β€’ Each service has a policy.json file that lists out which defined role for that specific service has the capability to execute β€’ Each service node should be synchronized for their specific policy files or a multi-service security model can be used for the same type of service – Each upgrade has to maintain and define new roles that are included in every release 11
  • 12.
    Security on OpenStack: Distributed Policy Model Nova policy.jso n Role Definition KeyStone Role Name Neutron policy.jso n Role Definition 12
  • 13.
    Security on OpenStack: Auditing and Compliance β€’ Auditing – Sources : Message Queues, Log Files, Database β€’ Message Queue Event Validation process β€’ Log Parsers for Event Handling and Threat Detection β€’ Database Triggers for Security Events β€’ Compliance – Role to Policy Validation – Code Patching and Upgrade Versioning – User Information (Name, Password, Roles, etc) – IT Mgmt (ISO 27001, FISMA, FedRamp, etc) – PKI Key Management 13
  • 14.
    Security on OpenStack: Auditing and Compliance β€’ Example : Boot a Virtual Machine – Keystone (Log, Database) – Nova (Log, Message, Database) – Glance (Log, Database) – Neutron (Log, Message, Database) – Host (Log) – Horizon (Log, Database) β€’ All of these events must be correlated to make sure that the proper rules and privileges were used during each command and against a CMDB to validate authorization 14
  • 15.
    Areas of focusfor Securing a OpenStack Deployment β€’ Message Server and Queuing – Signing all Messages and Validating Authorization β€’ Database Server and Instances – Encryption of Critical Columns β€’ Certificate Management – Overall Management and HSM Integration β€’ Distribution Verification – Signed Policy Distribution and Loading into all Services β€’ 2 Factor Authentication / Single Sign On – Token Authentication with Single Sign On through Horizon 15
  • 16.

Editor's Notes

  • #11Β How are you going to do PKI at massive scale?How do you manage different SSL Certificates per node or per client?
  • #14Β Production Level Compliance items for all Data CentersHaven’t found anything within OpenStack that enables this easily
  • #15Β Production Level Compliance items for all Data CentersHaven’t found anything within OpenStack that enables this easily