securing open stack for compliance
DESCRIPTION
Slides from lecture delivered at OpenStack Summit Hong KongTRANSCRIPT
![Page 1: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/1.jpg)
© MIRANTIS 2013 PAGE 1 © MIRANTIS 2013
Securing for compliance
Tomasz ‘Zen’ Napierała
Sr. OpenStack Engineer
![Page 2: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/2.jpg)
© MIRANTIS 2013 PAGE 2
Tomasz Z. Napierała
Senior OpenStack Engineer @ Mirantis, Inc.
automation, web performance, compliance, security
![Page 3: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/3.jpg)
© MIRANTIS 2013 PAGE 3
Mirantis, Inc.
Largest independent vendor of OpenStack services and technology.
We operate from Mountain View, California, with remote offices in Russia, Ukraine and Poland.
60+ successful OpenStack implementations and 400+ infrastructure experts.
![Page 4: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/4.jpg)
© MIRANTIS 2013 PAGE 4
Mirantis, Inc.
![Page 5: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/5.jpg)
© MIRANTIS 2013 PAGE 5
Agenda
![Page 6: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/6.jpg)
© MIRANTIS 2013 PAGE 6
What’s included
• State of cloud compliance
• Modules overview
• Practical tips
![Page 7: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/7.jpg)
© MIRANTIS 2013 PAGE 7
What’s not included
• Securing VMs
• Guarantee
![Page 8: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/8.jpg)
© MIRANTIS 2013 PAGE 8
PCI DSS overview
![Page 9: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/9.jpg)
© MIRANTIS 2013 PAGE 9
PCI DSS recap
• Set of policies and procedures
• Optimize security of financial data processing
• Protect cardholders
• 12 general requirements
• Ongoing process
• PCI DSS version 2.0
![Page 10: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/10.jpg)
© MIRANTIS 2013 PAGE 10
State of compliance in cloud
• Not possible (pre 2012)
• Hard, not clear (pre 2013)
• PCI DSS 2.0 Cloud Computing Guide (Feb. 2013)
• Production deployments • Rackspace
![Page 11: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/11.jpg)
© MIRANTIS 2013 PAGE 11
Where are we
Rely on Cloud Service Provider for HW-‐>Hypervisor related compliance
Phil Cox, RightScale
12 x
![Page 12: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/12.jpg)
© MIRANTIS 2013 PAGE 12
Whare are we
Hardware Network
Storage
Hypervisor
VM
![Page 13: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/13.jpg)
© MIRANTIS 2013 PAGE 13
PCI DSS requirements
Source: hSp://www.datasecureworks.com/images/Trustwave/pci-‐requirements-‐grid.png
![Page 14: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/14.jpg)
© MIRANTIS 2013 PAGE 14
Projects history
• Initially launched for customer (2 engineers)
• Moved into internal project (2+ engineers)
• Some parts reused in other projects
• 2 clients using the tools
![Page 15: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/15.jpg)
© MIRANTIS 2013 PAGE 15
Projects limitations
• RedHat / CentOS compatible • Only for private IaaS clouds • Operator centric • Technology focused • Everything in scope • No “redo” • No OpenStack patches • No firwall management
![Page 16: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/16.jpg)
© MIRANTIS 2013 PAGE 16
Ingredients
![Page 17: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/17.jpg)
© MIRANTIS 2013 PAGE 17
Elements
• Baseline hardening
• HSM PoC
• Auditing system
• Log collection system
• Intra cluster secure communication
• Audit tools
• Documentation
![Page 18: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/18.jpg)
© MIRANTIS 2013 PAGE 18
Tools
• Fuel extension
• Puppet modules
• OpenStack patches (not included)
• OpenSCAP profiles (SRR)
• Documentation
• Checklist
![Page 19: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/19.jpg)
© MIRANTIS 2013 PAGE 19
Notes
• PCI DSS 2.0
• NIST
![Page 20: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/20.jpg)
© MIRANTIS 2013 PAGE 20
External dependencies
• LDAP / AD
• HSM (PoC available)
• Secure database + SSL
![Page 21: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/21.jpg)
© MIRANTIS 2013 PAGE 21
Puppet modules
![Page 22: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/22.jpg)
© MIRANTIS 2013 PAGE 22
aide
• File integrity checking with AIDE
![Page 23: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/23.jpg)
© MIRANTIS 2013 PAGE 23
auditd
• Auditing and logging during boot
• Auditing ang logging in runtime • Crucial file access monitoring • Over 80 rules • Based on Aqueduct project https://fedorahosted.org/
aqueduct/
![Page 24: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/24.jpg)
© MIRANTIS 2013 PAGE 24
baseline
• Disabling services
• Sysctl tuning
• Disabling interactive startup
• Password for single mode
• Profile tuning
• PCI DSS required info in issue/issue.net
![Page 25: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/25.jpg)
© MIRANTIS 2013 PAGE 25
clamav
• Scanning policies
• Update policies
• Logging
![Page 26: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/26.jpg)
© MIRANTIS 2013 PAGE 26
controller_ipsec
• Mesh tunnels between controllers
![Page 27: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/27.jpg)
© MIRANTIS 2013 PAGE 27
limits
• Tuning system limits
![Page 28: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/28.jpg)
© MIRANTIS 2013 PAGE 28
Logstash (+ kibana + zeromq)
• Entire log collection infrastructure
• Predefinded OpenStack inputs + filters
![Page 29: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/29.jpg)
© MIRANTIS 2013 PAGE 29
pam
• Cracklib
• Blocking accounts
![Page 30: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/30.jpg)
© MIRANTIS 2013 PAGE 30
pwpolicy
• Password policies
![Page 31: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/31.jpg)
© MIRANTIS 2013 PAGE 31
rabbitmq
• Added SSL support
![Page 32: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/32.jpg)
© MIRANTIS 2013 PAGE 32
securetty
• Disabling root login on console
![Page 33: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/33.jpg)
© MIRANTIS 2013 PAGE 33
secureusers
• Securing internl OpenStack and systems users
![Page 34: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/34.jpg)
© MIRANTIS 2013 PAGE 34
ssh
• Secure SSH client and server configuration
![Page 35: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/35.jpg)
© MIRANTIS 2013 PAGE 35
sudo
• Protecting from shell escapes
• Disabling sudo su for root
• Secure defaults for sessions
![Page 36: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/36.jpg)
© MIRANTIS 2013 PAGE 36
What’s not included
• System images
• Glance protection
• Swift encryption
![Page 37: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/37.jpg)
© MIRANTIS 2013 PAGE 37
Tips
• HSM (PoC available)
• Compliance is not technology
• Virtualized != cloud
• Automation is a king
• Get an expert
• Get experienced QSA
• Use Quantum
![Page 38: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/38.jpg)
© MIRANTIS 2013 PAGE 38
Notes
• Buggy egress filtering in Grizzly • No default TLS support in VNC • No image scanning, shredding, etc. • User cleanup scripts • No logging framework for tracking cloud
activities? • No granular access rights • No default „zero access” policy
![Page 39: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/39.jpg)
© MIRANTIS 2013 PAGE 39
Notes on 8.5
![Page 40: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/40.jpg)
© MIRANTIS 2013 PAGE 40
Notes on 10.1
![Page 41: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/41.jpg)
© MIRANTIS 2013 PAGE 41
Roadmap
• Publication will be annouced on Mirantis blog
• Planned date: end of 2013
![Page 42: Securing open stack for compliance](https://reader034.vdocuments.site/reader034/viewer/2022042613/547c318cb4795993508b45ed/html5/thumbnails/42.jpg)
© MIRANTIS 2013 PAGE 42
Questions?