Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

Published byHoratio Fisher Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist."— Presentation transcript:

1 1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist

2 Agenda What is Symantec doing? Security Concepts for Grizzly Release – Centralized Software Defined Data Center Management – Network Segmentation – Token/PKI Based Authentication – Distributed Policy Management – Auditing and Compliance Areas of focus for Securing a OpenStack Deployment 2

3 About Symantec and Us About Symantec Making the world a safer place… Enterprise system and data protection Norton branded consumer protection (not just Antivirus) Tackling the big problems Pioneered the Big Data approach to malware detection Significant cloud presence (Norton, MessageLabs, OCSP, etc.) About Brian Chong Infrastructure Architect for our OpenStack efforts Security & Network Focused Interested in securing OpenStack at all tiers SYMC Confidential 3

4 What is Symantec Doing? We are building a consolidated cloud platform that provides infrastructure and platform services to host Symantec SaaS applications – An exciting “greenfield” opportunity to re-invent our cloud infrastructure with strong executive leadership support Our development model is to use open source components as building blocks – Identify capability gaps and contribute back to community We have selected OpenStack as one of the underlying infrastructure services layers We plan to analyze and improve the overall security posture of OpenStack components We are starting small, but will scale to thousands of nodes across multiple data centers Cloud Platform Engineering 4

5 Scope of Investigation Version of OpenStack : Grizzly Components : Nova, Neutron, Glance, Cinder, Keystone, Swift, Horizon General : – Database : MySQL – AMQP : RabbitMQ – Hypervisor : KVM – Operating System : Ubuntu Cloud Platform Engineering 5

6 Security on OpenStack : Traditional Model (Defense in Depth) 6 Router ACLs Load Balancer Filters Firewall Rules Application/Host Security

7 Security on OpenStack : Software Defined Data Center Centralized Data Model for control access – All Control points are accessible by the applications that control the Data Center for elasticity of the service – All Services have access to change the system in relatively large ways (Compute, Network, Storage) to manage service SLAs – Layered Security is now much more difficult than before, which means stronger pinpoint security is more critical than before Host based controls become more critical – Operating System – Hypervisor / Virtualization Driver – Console 7

8 Security Sphere Security Sphere N Security on OpenStack : Centralized Model 8 Software Defined API Router ACLs Load Balancer Filters Firewall Rules Application Security

9 Security on OpenStack : Network Segmentation BMC and IPMI functions : Control of Hardware components – Deny All except to specific participating Deployment Servers Host/Admin : Control of Operating System – Deny All except to specific Jump Servers Service API/Messaging : Control of IaaS, Messaging & Database services and Authentication – Deny All except to each physical interface on participating Servers Private/Storage : VM to VM traffic and Storage or internal PaaS Services – Controlled by local Firewall Access (iptables per host or external Firewall) Public : External Access outside of the Cluster – Controlled by Gateway/Load Balancer/Firewall 9

10 Security on OpenStack : Token/PKI Based Authentication Token Expirations (assumes Caching) – Correlation of all changes in the distributed model with a issued Token PKI Token Management – Signing Certificate Expiration – Signing Engine (HSM or SW) – Root CA Distribution SSL Service Management – SSL Certificate Expiration for Services – Root CA Distribution – Private key generation and Management 10

11 Security on OpenStack : Distributed Policy Model Definition of different roles and policies are defined in Keystone per tenant and globally Each service has a policy.json file that lists out which defined role for that specific service has the capability to execute Each service node should be synchronized for their specific policy files or a multi-service security model can be used for the same type of service – Each upgrade has to maintain and define new roles that are included in every release 11

12 Security on OpenStack : Distributed Policy Model 12 KeyStone Nova Neutron Role Name policy.jso n Role Definition

13 Security on OpenStack : Auditing and Compliance Auditing – Sources : Message Queues, Log Files, Database Message Queue Event Validation process Log Parsers for Event Handling and Threat Detection Database Triggers for Security Events Compliance – Role to Policy Validation – Code Patching and Upgrade Versioning – User Information (Name, Password, Roles, etc) – IT Mgmt (ISO 27001, FISMA, FedRamp, etc) – PKI Key Management 13

14 Security on OpenStack : Auditing and Compliance Example : Boot a Virtual Machine – Keystone (Log, Database) – Nova (Log, Message, Database) – Glance (Log, Database) – Neutron (Log, Message, Database) – Host (Log) – Horizon (Log, Database) All of these events must be correlated to make sure that the proper rules and privileges were used during each command and against a CMDB to validate authorization 14

15 Areas of focus for Securing a OpenStack Deployment Message Server and Queuing – Signing all Messages and Validating Authorization Database Server and Instances – Encryption of Critical Columns Certificate Management – Overall Management and HSM Integration Distribution Verification – Signed Policy Distribution and Loading into all Services 2 Factor Authentication / Single Sign On – Token Authentication with Single Sign On through Horizon 15

16 16 Questions?

Download ppt "1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist."

Similar presentations

A Flexible Cloud-Computing Platform Focus on solving business problems

A Flexible Cloud-Computing Platform Focus on solving business problems
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Cloud Platform Engineering 1 November 5 th, 2013 Brian Chong and Shane Gibson An Evaluation of OpenStack Deployment Frameworks.

Cloud Platform Engineering 1 November 5 th, 2013 Brian Chong and Shane Gibson An Evaluation of OpenStack Deployment Frameworks.
Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.

Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.
STUDY ON OPENSTACK BY JAI KRISHNA. LIST OF COMPONENTS Introduction Components Architecture Where it is used.

STUDY ON OPENSTACK BY JAI KRISHNA. LIST OF COMPONENTS Introduction Components Architecture Where it is used.
© 2012 IBM Corporation Architecture of Quantum Folsom Release Yong Sheng Gong ( 龚永生 ) gongysh #openstack-dev Quantum Core developer.

© 2012 IBM Corporation Architecture of Quantum Folsom Release Yong Sheng Gong ( 龚永生 ) gongysh #openstack-dev Quantum Core developer.
Agile Infrastructure built on OpenStack Building The Next Generation Data Center with OpenStack John Griffith, Senior Software Engineer,

Agile Infrastructure built on OpenStack Building The Next Generation Data Center with OpenStack John Griffith, Senior Software Engineer,
OpenStack Open Source Cloud Software. OpenStack: The Mission To produce the ubiquitous Open Source cloud computing platform that will meet the needs.

OpenStack Open Source Cloud Software. OpenStack: The Mission "To produce the ubiquitous Open Source cloud computing platform that will meet the needs.
Keystone Security A Symantec Perspective on Securing Keystone

Keystone Security A Symantec Perspective on Securing Keystone
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL.

Submitted by- Mr. Avinash Sadaphule 20 November 2009 Management Trainee, MKCL.
Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Zhipeng (Howard) Huang

Zhipeng (Howard) Huang
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Cloud computing Tahani aljehani.

Cloud computing Tahani aljehani.
Security in Cloud Computing Presented by : Ahmed Alalawi.

Security in Cloud Computing Presented by : Ahmed Alalawi.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Similar presentations

Ads by Google