enterprise private cloud appliance
TRANSCRIPT
Securing OpenStack
Chris C. Kemp
About Chris C. Kemp
Chris C. Kemp / Twitter @Kemp
• OpenStack Co-Founder• Former CTO for IT, NASA• Founder and CEO of Nebula, Inc.
Open source software for buildingprivate and public clouds.
OpenStack is a wonderful choice for the security-minded enterprise’s private cloud *if* best practices are followed during
all stages of implementation and operation.
I’m not *only* making outrageous claims, I’m going to make some points to back this up with the rest of my talk.
OpenStack is a *true* cloud platform
1. On-demand … through self-service interfaces2. Elastic … dynamically scale up and down3. Shared … pooled resources4. Metered by use … at high level of granularity5. Accessible … broadly over the network
OpenStack Details
• Multi-tenant, massively scalable, open source cloud operating system.
• Supports various hypervisors, including: Xen/XenServer , KVM, Hyper-V, VMWare/ESX, Linux Containers (LXC), QEMU, UML
• Flexible network and storage options• Apache 2.0 open source license
Why Build Private Cloud?
1. Maturity. Ability to overcome barriers to entry related to culture, process, technology, experience, and tools.
2. Performance. Need to deploy an application near the data and services that are already deployed on premises - lower latency and increased bandwidth.
3. Security. Must keep data inside Company’s security perimeter, where we trust security team, tools, and processes.
4. Cost. TCO much higher for predictable IaaS workloads.5. Architectural Constraints. Application is not architected
to run well in public cloud, or has unique technical requirements.
By the Numbers
• Community includes 2300 people from 153 Companies
• Over 100 active committers with 250K lines of code
Who is Involved?
And many more…
OpenStack Conceptual Architecture
So, now we know a little something about OpenStack..
CIO
“Sounds exciting!”
CSO
“Sounds target-rich..”
…and we’re forming some initial opinions….
Security and the OpenStack project
OpenStack Security Community Highlights
OpenStack project groups– Vulnerability response– Formalizing security– Audit projects– Multiple security-centric
blueprints – ongoing code improvements
Commercial efforts– Professional penetration Testing /
API fuzzing– Sponsored bugfests with growing
participation– Active and ongoing source code
review process
Bringing defense in depth to OpenStack clouds
Assuming you’ve laid the foundation….
Before we begin we’ll need the governance, guidance, and groundwork that will define the requirements..
- CSA Security Guidance - Critical Areas of Focus in CloudMapping the Cloud Model to the Security Control & Compliance Model
• Compliance and Audit
• ERM
• Legal and Electronic Discovery
• Information Lifecycle
• Corporate policy
• Portability
• Interoperability
• Architecture
• Operations “touch points”
….let’s take a closer look at the technologies in play.
OpenStack Conceptual Architecture
OpenStack Logical Architecture
OpenStack - Under the hood…
Everything needs to be hardened and continuously monitored.
…Luckily, we have a few best practices for doing this stuff with open source software.
• Mostly implemented in Python
• REST and WSGI communication between services
• Multiple application choices to implement backend• databases• queue• networking
OpenStack compute service (nova)
• Equivalent to Amazon EC2
• Runs virtual machines on hypervisor of your choice
• Includes support for block volumes external to hypervisor
• The architecture of nova allows for massive parallel scaling, but to get there requires some complexity.
Underlying technologies
• nova-compute– speaks to libvirt, XenAPI,
etc.• nova DB– SQLalchemy & a SQL DB
• queue– Python Kombu+AMQPlib– rabbitmq
Underlying technologies
• Nova-network– Provides connectivity
• Nova-volume– provides volume API– Backended with iscsi,
sheepdog, ceph, etc
• nova-scheduler– Determines available resources– Assigns workloads
OpenStack Compute Security Considerations
• Secure your hypervisor – This is a topic for another talk… but certainly not trivial.
• Choose a database– Consider high availability– Enhanced security configuration
• Message Queue– Harden the queue software’s configuration– Monitor and correlate queue messages
• Choose filesystem(s)– Enable filesystem’s security features– Deploy hardened daemons– Monitor activity
• Monitor API access
OpenStack object store (swift)• Similar to Amazon S3
• Configurable number of duplicate object replicas
• Supports geo-replication of objects
• Internally:– memcache provides caching for
scale and speed – SQLite– rsync– python greenlets/eventlet
OpenStack Object Store Security considerations
• Properly secure underlying technologies– memcached, rsync
• Implement and test RBAC
• Restrict admin read access to objects– Least privilege, is admin read access required?
• Integrated information lifecycle– Automate / integrate IL processes when possible
• Monitor & correlate API access– Record all access to the object store
OpenStack Dashboard (Horizon)
• Standard webapp stuff
• django-based
• Uses keystone for authN/Z
OpenStack Dashboard Security considerations
• Use enterprise authentication behind keystone
• Standard webapp hardening process
• Protect credentials
• Monitor access and correlate
OpenStack image service (glance)
Provides a repository for VM images and snapshots
• SQL for metadata
• Supports for multiple backend filesystems• Ceph• S3 / Swift• Local FS
OpenStack Image Service Security Considerations
• Choose distributed filesystem(s)– Enable filesystem’s security features and
configure hardened endpoints– Monitor activity
• Choose a database– Consider high availability– Enhanced security configuration
• Audit– Automate audit of images for OS controls
• Patch management– Automate patching and configuration updates to
OS images
OpenStack Identity Service (keystone)
• authN and authZ provider for OpenStack
• Rewrite introduced a new architecture – Straightforward integration with commercial / external auth
products and solutions
OpenStack Identity Service Security considerations
• Use backend enterprise authentication provider – – OpenStack is not an identity project– Keystone’s backend API provides easy integration for
authN, and acceptable authZ
• Monitor API access– Attempts– Failures
• Logging - Monitor and correlate– Monitor identities across OpenStack– Debug loglevel is informative but sensitive
Other parts of the OpenStack ecosystem
• OpenStack incubated projects– Two exciting networking projects• Quantum• Mélange
• Other interesting OpenStack projects– Database-as-a-Service– Dashboard enhancements and plugins– Hybrid cloud functionality
(cloudgateway, etc)
…Zooming back out
Enough of the trenches. This is a keynote, after all.
OpenStack seems to be made up of defensible technologies
– Lots of readable python– Databases: sqlite, mysql, postgres– Message queue: rabbitMQ– Distributed Filesystems: gluster, ceph– Hypervisors: Xen, KVM, ESXi, Hyper-V*– memcached– django– authN / authZ API interface – Linux security features
OpenStack Logical Architecture
…But It’s the responsibility of the implementer to turn the “security switches” to “on.”
Harden
Integrate
Monitor
So - OpenStack isn’t a production-ready cloud?
• Most technical security controls required for compliance are NOT built in to OpenStack.
•
• That shouldn’t dissuade you. • The building blocks are all in place.
Hardening OpenStack system environments
• Restrict network and data access to least privilege
• Enable security features of underlying software
• Configure security features of the underlying OS
• Harden the hypervisor
• Use PKI for SSL
• Implement database security
Integration - benefits to even the playing field
Some integration points:• SIM/ SIEM • IR automation / Live Forensics• CMDB / Service desk • Asset mgmt / Patch mgmt• Auditing process automation• IPAM
Integrating the underlying cloud framework into these elements yields huge benefits
Monitoring – Benefits in the open cloud
OpenStack is powerful foundation to build advanced security controls
Building complex solutions becomes relatively simple
• SIEM sees significant benefits• Automated Incident Response• Cloud-wide flow monitoring• Security appliances: IPS-aaS, FW-aaS, …
Defense in depth of workloads in cloud
• An integrated defense in depth strategy can benefit from open source software and from private cloud
• OpenStack is a great example
Back out to “The big picture”
- CSA Security Guidance - Critical Areas of Focus in Cloud Mapping the Cloud Model to the Security Control & Compliance Model
Looking ahead - 2012 and OpenStack security
A few ideas we’re kicking around at :• Interesting security-as-a-service potential
– Quantum provides some of the missing building blocks needed for metered and scalable security controls on demand in OpenStack
• IR process integration offers excellent coverage– Potential for huge efficiency improvements in remediation of incidents and live
response activities• SIM / SIEM benefits
– Coverage over large infrastructure increases value of SIM integration– The visibility and control that IaaS offers eases SIM complexity
The coming year looks to be very exciting for the OpenStack project, and specifically for OpenStack security.
OpenStack-based products could offer powerful security options.
Conclusion
• OpenStack is a flexible foundation– It’s a viable option, but not necessarily right out of the box– It’s not right for every workload or enterprise– Its open-ness is a big plus for security
• Still some significant unanswered security questions– Expect to see commercial OpenStack-based products
bridging this gap
• Exciting new developments improving the security of OpenStack are happening every day
Thanks for listening!
Chris C. KempTwitter: @Kemp