Presentation is loading. Please wait.

Presentation is loading. Please wait.

Keystone Security – OpenStack Summit Atlanta 1 Keystone Security A Symantec Perspective on Securing Keystone Keith Newstadt Cloud Services Architect.

Similar presentations


Presentation on theme: "Keystone Security – OpenStack Summit Atlanta 1 Keystone Security A Symantec Perspective on Securing Keystone Keith Newstadt Cloud Services Architect."— Presentation transcript:

1 Keystone Security – OpenStack Summit Atlanta 1 Keystone Security A Symantec Perspective on Securing Keystone Keith Newstadt Cloud Services Architect

2 Symantec’s Cloud Platform Engineering Objectives We are building a consolidated cloud platform that provides infrastructure and platform services for next generation Symantec products and services – An exciting “greenfield” opportunity to re-invent our cloud infrastructure with strong executive leadership and support – Building a global team in the US, Europe, and Asia of top-notch, open source minded engineers in the areas of cloud and big data Our development model is to use open source components as building blocks – Identify capability gaps and contribute back to the community We have selected OpenStack as one of the underlying infrastructure services layer We plan to analyze and help improve the overall security posture of OpenStack components We are starting small, but will scale to thousands of nodes across multiple data centers 2 OpenStack Summit - Atlanta

3 The Symantec Team Me – In Security for nearly 15 years – Norton Web Services Including the Norton Identity Provider Billions of requests, 100M+ users, 100M+ endpoints Under constant attack – Now working on Symantec’s next generation cloud, using OpenStack The team – Cloud Platform Engineering – Symantec Compliance Suite – Symantec Validation and ID Production (VIP) – Symantec Product Security Group – Global Security Organization (InfoSec) Keystone Security – OpenStack Summit Atlanta 3

4 4 Brief Keystone Overview OpenStack Service Keystone Authenticate Identity token Validate Identity Single point of auth for all OpenStack services. Single sign on to OpenStack services Reduces exposure of credentials Common API layer on top of various authentication protocols and more…

5 Keystone Security is Critical Keystone Security – OpenStack Summit Atlanta 5 Passwords Keys Certs Tokens DoS

6 Symantec’s Approach to Securing Keystone Keystone Security – OpenStack Summit Atlanta 6 Application Environment Process Threat Modeling Security Scans Compliance Infrastructure Operating System Auditing Threat Resilience Multifactor Authentication Identity Standards

7 Keystone Security – OpenStack Summit Atlanta 7 Process

8 Keystone Security – OpenStack Summit Atlanta 8 What am I trying to protect? What are my assets? Is my particular deployment secure? Where am I likely to be attacked?

9 Threat Modeling Keystone Security – OpenStack Summit Atlanta 9 S poofing Could someone spoof the LDAP server? Mitigation option: LDAP server authentication T ampering R epudiation I nformation Disclosure D enial of Service E levation of Privileges

10 Keystone Security – OpenStack Summit Atlanta 10 Am I running what I think I ’ m running? Did I get the right images and distros? Could something malicious be injected into the deployment process? Am I running the most secure patch level?

11 Supply Chain Management Keystone Security – OpenStack Summit Atlanta 11 DownloadBuildDeployPatch Make sure it’s good. Make sure it’s secure Make sure you’ve validated Stay on a secure patch level We’re using Symantec Control Compliance Suite Others: Qualys, Nessus, etc. Questions around third party component security is an unsolved problem. It seems obvious, but… Security

12 Keystone Security – OpenStack Summit Atlanta 12 Environment

13 Keystone Security – OpenStack Summit Atlanta 13 Is my system hardened against attacks? Can someone change my deployment? What assets could be stolen from my environment? Do I know what happened after I ’ ve been attacked?

14 Keystone Compliance Keystone Security – OpenStack Summit Atlanta 14 We’re using Symantec Data Center Security for Linux and OpenStack compliance. Other tools are out there as well: SELinux, Tripwire, etc. Config Files Log Files Ports Executables Every deployment is different. Start by following the trail from keystone.conf Environment

15 Keystone Security – OpenStack Summit Atlanta 15 Is my data secure while in motion? What high value assets are being transmitted? What would be the repercussions if these assets were intercepted or tampered with? How much of my environment do I trust?

16 Security of Credentials on the Wire Keystone Security – OpenStack Summit Atlanta 16 POST /tokens Keystone Nova Cinder Swift… Attack vectors on both internal and external networks. Assets: credentials and tokens Balance risk and cost.

17 Keystone Security – OpenStack Summit Atlanta 17 Application

18 Keystone Security – OpenStack Summit Atlanta 18 Will I know when I ’ m under attack? ( and I will be… ) Who is attacking me? What is their target? How do I stop them?

19 Keystone Intrusion Detection Keystone Security – OpenStack Summit Atlanta 19 Forensics Prevention What will you need after an attack? Track users, token hashes, source IP addresses Perform analytics, correlation Security vs. privacy How do you fend off an attack? Rate limiting to impede brute force attacks Blacklist malicious IPs Detect and block anomalous user behavior Add request logging and blocking at a proxy, load balancer, or in a Keystone filter Challenges to foil automated attacks Aggregate logs in a central location

20 Are passwords enough? What additional kinds of auth should I support? How should I implement it? Keystone Security – OpenStack Summit Atlanta 20 Am I effectively validating my users?

21 Identity Provider Authenticator RADIUS Server Backend Driver Two Factor Auth Keystone Security – OpenStack Summit Atlanta 21 Keystone LDAP Driver LDAP Server SQL Driver MySQL DB RADIUS Driver RSA SecureID Symantec VIP Gateway … LDAP Server VIP Service

22 Keystone Security – OpenStack Summit Atlanta 22 How do my services and scripts authenticate themselves? How do I delegate? How do I control access scope? What is the technical and management cost of a solution?

23 Autonomous Authentication Keystone Security – OpenStack Summit Atlanta 23 Credentials ? Service Token Considerations: Secure cached credentials Limit scope Expiration Management Delegation Potential Solutions: Cached passwords EC2 key Trusts Keys Certificates ? Keystone Nova

24 Keystone Security – OpenStack Summit Atlanta 24 Standards…

25 Keystone and Standard Protocols Interest in industry standard Identity protocols for OpenStack – Symantec has been through a migration like this before – Community has already summited blueprints Benefits – Single sign on – Improved integration – Control over credentials – Unified authentication experience Symantec will look to participate in this effort Keystone Security – OpenStack Summit Atlanta 25

26 Protect your credentials everywhere Securing your use of Keystone is an ongoing process Share Keystone Security – OpenStack Summit Atlanta 26 Parting thoughts

27 Keystone Security – OpenStack Summit Atlanta 27 Q&A

28 Thank you! Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Keystone Security – OpenStack Summit Atlanta 28 Keith Newstadt


Download ppt "Keystone Security – OpenStack Summit Atlanta 1 Keystone Security A Symantec Perspective on Securing Keystone Keith Newstadt Cloud Services Architect."

Similar presentations


Ads by Google