Mirantis has developed tools and modules to help secure OpenStack clouds and meet PCI compliance standards. Their solution includes Puppet modules for hardening systems, logging, auditing, and encrypting communications. It also provides documentation and checklists. However, the solution focuses on infrastructure and operators, and does not include securing virtual machines or images directly. For full compliance, additional work is needed around areas like encryption and access controls.

1. Securing
for compliance
Tomasz ‘Zen’ Napierała
Sr. OpenStack Engineer
©
MIRANTIS
2013
PAGE
1

2. Tomasz Z. Napierała
Senior OpenStack Engineer @ Mirantis, Inc.
automation, web performance, compliance, security
©
MIRANTIS
2013
PAGE
2

3. Mirantis, Inc.
Largest independent vendor of OpenStack services and technology.
We operate from Mountain View, California, with remote offices in Russia, Ukraine
and Poland.
60+ successful OpenStack implementations and 400+ infrastructure experts.
©
MIRANTIS
2013
PAGE
3

4. Mirantis, Inc.
©
MIRANTIS
2013
PAGE
4

5. Agenda
©
MIRANTIS
2013
PAGE
5

6. What’s included
• State of cloud compliance
• Modules overview
• Practical tips
©
MIRANTIS
2013
PAGE
6

7. What’s not included
• Securing VMs
• Guarantee
©
MIRANTIS
2013
PAGE
7

8. PCI DSS overview
©
MIRANTIS
2013
PAGE
8

9. PCI DSS recap
• Set of policies and procedures
• Optimize security of financial data processing
• Protect cardholders
• 12 general requirements
• Ongoing process
• PCI DSS version 2.0
©
MIRANTIS
2013
PAGE
9

10. State of compliance in cloud
• Not possible (pre 2012)
• Hard, not clear (pre 2013)
• PCI DSS 2.0 Cloud Computing Guide (Feb. 2013)
• Production deployments
• Rackspace
©
MIRANTIS
2013
PAGE
10

11. Where are we
12
x
Rely
on
Cloud
Service
Provider
for
HW-­‐>Hypervisor
related
compliance
Phil
Cox,
RightScale
©
MIRANTIS
2013
PAGE
11

12. Whare are we
VM
Hypervisor
Storage
Network
Hardware
©
MIRANTIS
2013
PAGE
12

13. PCI DSS requirements
Source:
hSp://www.datasecureworks.com/images/Trustwave/pci-­‐requirements-­‐grid.png
©
MIRANTIS
2013
PAGE
13

14. Projects history
• Initially launched for customer (2 engineers)
• Moved into internal project (2+ engineers)
• Some parts reused in other projects
• 2 clients using the tools
©
MIRANTIS
2013
PAGE
14

15. Projects limitations
• RedHat / CentOS compatible
• Only for private IaaS clouds
• Operator centric
• Technology focused
• Everything in scope
• No “redo”
• No OpenStack patches
• No firwall management
©
MIRANTIS
2013
PAGE
15

16. Ingredients
©
MIRANTIS
2013
PAGE
16

17. Elements
• Baseline hardening
• HSM PoC
• Auditing system
• Log collection system
• Intra cluster secure communication
• Audit tools
• Documentation
©
MIRANTIS
2013
PAGE
17

18. Tools
• Fuel extension
• Puppet modules
• OpenStack patches (not included)
• OpenSCAP profiles (SRR)
• Documentation
• Checklist
©
MIRANTIS
2013
PAGE
18

19. Notes
• PCI DSS 2.0
• NIST
©
MIRANTIS
2013
PAGE
19

20. External dependencies
• LDAP / AD
• HSM (PoC available)
• Secure database + SSL
©
MIRANTIS
2013
PAGE
20

21. Puppet modules
©
MIRANTIS
2013
PAGE
21

22. aide
• File integrity checking with AIDE
©
MIRANTIS
2013
PAGE
22

23. auditd
• Auditing and logging during boot
• Auditing ang logging in runtime
• Crucial file access monitoring
• Over 80 rules
• Based on Aqueduct project https://fedorahosted.org/
aqueduct/
©
MIRANTIS
2013
PAGE
23

24. baseline
• Disabling services
• Sysctl tuning
• Disabling interactive startup
• Password for single mode
• Profile tuning
• PCI DSS required info in issue/issue.net
©
MIRANTIS
2013
PAGE
24

25. clamav
• Scanning policies
• Update policies
• Logging
©
MIRANTIS
2013
PAGE
25

26. controller_ipsec
• Mesh tunnels between controllers
©
MIRANTIS
2013
PAGE
26

27. limits
• Tuning system limits
©
MIRANTIS
2013
PAGE
27

28. Logstash (+ kibana + zeromq)
• Entire log collection infrastructure
• Predefinded OpenStack inputs + filters
©
MIRANTIS
2013
PAGE
28

29. pam
• Cracklib
• Blocking accounts
©
MIRANTIS
2013
PAGE
29

30. pwpolicy
• Password policies
©
MIRANTIS
2013
PAGE
30

31. rabbitmq
• Added SSL support
©
MIRANTIS
2013
PAGE
31

32. securetty
• Disabling root login on console
©
MIRANTIS
2013
PAGE
32

33. secureusers
• Securing internl OpenStack and systems users
©
MIRANTIS
2013
PAGE
33

34. ssh
• Secure SSH client and server configuration
©
MIRANTIS
2013
PAGE
34

35. sudo
• Protecting from shell escapes
• Disabling sudo su for root
• Secure defaults for sessions
©
MIRANTIS
2013
PAGE
35

36. What’s not included
• System images
• Glance protection
• Swift encryption
©
MIRANTIS
2013
PAGE
36

37. Tips
• HSM (PoC available)
• Compliance is not technology
• Virtualized != cloud
• Automation is a king
• Get an expert
• Get experienced QSA
• Use Quantum
©
MIRANTIS
2013
PAGE
37

38. Notes
• Buggy egress filtering in Grizzly
• No default TLS support in VNC
• No image scanning, shredding, etc.
• User cleanup scripts
• No logging framework for tracking cloud
activities?
• No granular access rights
• No default „zero access” policy
©
MIRANTIS
2013
PAGE
38

39. Notes on 8.5
©
MIRANTIS
2013
PAGE
39

40. Notes on 10.1
©
MIRANTIS
2013
PAGE
40

41. Roadmap
• Publication will be annouced on Mirantis blog
• Planned date: end of 2013
©
MIRANTIS
2013
PAGE
41

42. Questions?
©
MIRANTIS
2013
PAGE
42