Presentation is loading. Please wait.

Presentation is loading. Please wait.

Keystone Security A Symantec Perspective on Securing Keystone

Published byBraxton Wiggin Modified over 9 years ago

Similar presentations

Presentation on theme: "Keystone Security A Symantec Perspective on Securing Keystone"— Presentation transcript:

1 Keystone Security A Symantec Perspective on Securing Keystone
Keith Newstadt Cloud Services Architect Keystone Security – OpenStack Summit Atlanta

2 Symantec’s Cloud Platform Engineering Objectives
We are building a consolidated cloud platform that provides infrastructure and platform services for next generation Symantec products and services An exciting “greenfield” opportunity to re-invent our cloud infrastructure with strong executive leadership and support Building a global team in the US, Europe, and Asia of top-notch, open source minded engineers in the areas of cloud and big data Our development model is to use open source components as building blocks Identify capability gaps and contribute back to the community We have selected OpenStack as one of the underlying infrastructure services layer We plan to analyze and help improve the overall security posture of OpenStack components We are starting small, but will scale to thousands of nodes across multiple data centers OpenStack Summit - Atlanta

3 The Symantec Team Me The team In Security for nearly 15 years
Norton Web Services Including the Norton Identity Provider Billions of requests, 100M+ users, 100M+ endpoints Under constant attack Now working on Symantec’s next generation cloud, using OpenStack The team Cloud Platform Engineering Symantec Compliance Suite Symantec Validation and ID Production (VIP) Symantec Product Security Group Global Security Organization (InfoSec) Keystone Security – OpenStack Summit Atlanta

4 Brief Keystone Overview
Validate Identity OpenStack Service Single point of auth for all OpenStack services. Single sign on to OpenStack services Authenticate Identity token Common API layer on top of various authentication protocols Identity token Reduces exposure of credentials and more… Keystone Security – OpenStack Summit Atlanta

5 Keystone Security is Critical
Passwords Keys Certs Tokens DoS Keystone Security – OpenStack Summit Atlanta

6 Symantec’s Approach to Securing Keystone
Application Environment Process Threat Resilience Multifactor Authentication Identity Standards Infrastructure Operating System Auditing Threat Modeling Security Scans Compliance Keystone Security – OpenStack Summit Atlanta

7 Process Keystone Security – OpenStack Summit Atlanta

8 What am I trying to protect?
What are my assets? Is my particular deployment secure? Where am I likely to be attacked? What am I trying to protect? Keystone Security – OpenStack Summit Atlanta

9 Threat Modeling Spoofing Tampering Repudiation Information Disclosure
Could someone spoof the LDAP server? Spoofing Mitigation option: LDAP server authentication Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges Keystone Security – OpenStack Summit Atlanta

10 Am I running what I think I’m running?
Did I get the right images and distros? Could something malicious be injected into the deployment process? Am I running the most secure patch level? Am I running what I think I’m running? Keystone Security – OpenStack Summit Atlanta

11 Supply Chain Management
Questions around third party component security is an unsolved problem. Download Build Deploy Patch Make sure it’s good. Make sure it’s secure Security It seems obvious, but… Make sure you’ve validated We’re using Symantec Control Compliance Suite Others: Qualys, Nessus, etc. Stay on a secure patch level Keystone Security – OpenStack Summit Atlanta

12 Environment Keystone Security – OpenStack Summit Atlanta

13 Is my system hardened against attacks?
Can someone change my deployment? What assets could be stolen from my environment? Do I know what happened after I’ve been attacked? Is my system hardened against attacks? Keystone Security – OpenStack Summit Atlanta

14 Hardening Auditing Keystone Compliance Config Files Log Files Ports
Every deployment is different. Start by following the trail from keystone.conf Config Files Hardening Log Files Auditing We’re using Symantec Data Center Security for Linux and OpenStack compliance. Ports Executables Other tools are out there as well: SELinux, Tripwire, etc. Environment Keystone Security – OpenStack Summit Atlanta

15 Is my data secure while in motion?
What high value assets are being transmitted? What would be the repercussions if these assets were intercepted or tampered with? How much of my environment do I trust? Is my data secure while in motion? Keystone Security – OpenStack Summit Atlanta

16 Security of Credentials on the Wire
Assets: credentials and tokens POST /tokens Attack vectors on both internal and external networks. Balance risk and cost. Keystone Nova Cinder Swift Keystone Security – OpenStack Summit Atlanta

17 Application Keystone Security – OpenStack Summit Atlanta

18 Will I know when I’m under attack? (and I will be…)
Who is attacking me? What is their target? How do I stop them? Keystone Security – OpenStack Summit Atlanta

19 Keystone Intrusion Detection
How do you fend off an attack? What will you need after an attack? Rate limiting to impede brute force attacks Track users, token hashes, source IP addresses Challenges to foil automated attacks Aggregate logs in a central location Blacklist malicious IPs Perform analytics, correlation Detect and block anomalous user behavior Prevention Security vs. privacy Forensics Add request logging and blocking at a proxy, load balancer, or in a Keystone filter Keystone Security – OpenStack Summit Atlanta

20 Am I effectively validating my users?
Are passwords enough? What additional kinds of auth should I support? How should I implement it? Am I effectively validating my users? Keystone Security – OpenStack Summit Atlanta

21 Two Factor Auth Authenticator RADIUS Server Backend Driver
LDAP Server MySQL DB LDAP Server VIP Service RADIUS Server RSA SecureID Symantec VIP Gateway Backend Driver LDAP Driver SQL Driver RADIUS Driver Identity Provider Keystone Keystone Security – OpenStack Summit Atlanta

22 How do my services and scripts authenticate themselves?
How do I delegate? How do I control access scope? What is the technical and management cost of a solution? How do my services and scripts authenticate themselves? Keystone Security – OpenStack Summit Atlanta

23 Autonomous Authentication
Considerations: Secure cached credentials Limit scope Expiration Management Service Token Keystone Nova ? Credentials Delegation Potential Solutions: Cached passwords EC2 key Trusts Keys Certificates ? Keystone Security – OpenStack Summit Atlanta

24 Standards… Keystone Security – OpenStack Summit Atlanta

25 Keystone and Standard Protocols
Interest in industry standard Identity protocols for OpenStack Symantec has been through a migration like this before Community has already summited blueprints Benefits Single sign on Improved integration Control over credentials Unified authentication experience Symantec will look to participate in this effort Keystone Security – OpenStack Summit Atlanta

26 Protect your credentials everywhere Securing your use of Keystone is an ongoing process Share
Parting thoughts Keystone Security – OpenStack Summit Atlanta

27 Q&A Keystone Security – OpenStack Summit Atlanta

28 Keith Newstadt keith_newstadt@symantec.com
Keystone Security – OpenStack Summit Atlanta

Download ppt "Keystone Security A Symantec Perspective on Securing Keystone"

Similar presentations

Smart Identity Protection That Works for You and Your Users 2 Petri Ala-Annala Senior Principal, CISSP-ISSAP, CISA, CISM.

Smart Identity Protection That Works for You and Your Users 2 Petri Ala-Annala Senior Principal, CISSP-ISSAP, CISA, CISM.
IT Analytics for Symantec Endpoint Protection

IT Analytics for Symantec Endpoint Protection
‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, 2012 1 Industry and the fight against cybercrime.

‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, Industry and the fight against cybercrime.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing

1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
Backup Modernization with NetBackup Appliances

Backup Modernization with NetBackup Appliances
Barracuda Web Application Firewall

Barracuda Web Application Firewall
The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.

The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.
Chapter 12 Network Security.

Chapter 12 Network Security.
Symantec De-Duplication Solutions Complete Protection for your Information Driven Enterprise Richard Hobkirk Sr. Pre-Sales Consultant.

Symantec De-Duplication Solutions Complete Protection for your Information Driven Enterprise Richard Hobkirk Sr. Pre-Sales Consultant.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.
1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.

1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
VoIP Security Assessment Service Mark D. Collier Chief Technology Officer

VoIP Security Assessment Service Mark D. Collier Chief Technology Officer
The Next Phase of Virtual Infrastructure Kevin Bailey Director - Product Marketing EMEA Symantec Corporation.

The Next Phase of Virtual Infrastructure Kevin Bailey Director - Product Marketing EMEA Symantec Corporation.

Similar presentations

Ads by Google