Infrastructure as a Service

An Introduction to OpenStack

Agenda

• Introductions

• Cybera

• Infrastructure as a Service

• OpenStack

• Security Landscape

• Other Technologies

• Methodologies

• Questions

Tech Adoption Curve

Amazon Web Services

OpenStack

“To produce the ubiquitous Open Source cloud

computing platform that will meet the needs of

public and private cloud providers regardless of

size, by being simple to implement and massively

scalable.”

OpenStack Object Storage

OpenStack Object Storage Architecture

OpenStack Image Service

OpenStack Compute

OpenStack Compute Architecture

OpenStack Compute Architecture

OpenStack Compute Architecture

OpenStack Security Fundamentals

• Keypairs

– Allows ssh access to

your instance

– Name

– Public key

– Private key

– 1024 bit

– “Injected” into VM

• Security Groups

– Firewall

– Name

– Port

– IP range

– Protocol

– Live outside VM

OpenStack Security Fundamentals

• HTTPS

• VLANManager mode

– VLAN and bridge for each project

– Requires a switch that supports VLAN tagging

– Private IPs that are only accessible from inside the VLAN

• Floating IPs

• VPN

– A special VPN instance (cloudpipe) needs to be created

– Certificate and key for the user to access the VPN

– Haven’t put this to use yet

Open Security Architecture: Cloud Computing Pattern

• Cloud Computing Pattern

• Controls

IaaS Security Best Practices

• AWS Security Best Practices

– Protect your data in transit

– Protect your data at rest

– Protect your AWS credentials

– Manage multiple Users and their permissions with IAM

– Secure your application

IaaS Security Best Practices

• Twenty Rules for Amazon Cloud Security

– Encrypt all network traffic.

– Use only encrypted file systems for block devices and non-

root local devices.

– Encrypt everything you put in S3 using strong encryption…

• Key Security Issues for the Amazon Cloud

– Amazon is in control of your data.

– The Amazon S3 cloud storage infrastructure is weakly

secured.

– Perimeter security in the cloud is very different…

OpenStack Vulnerability Management

• wiki.openstack.org/VulnerabilityManagement

• The OpenStack vulnerability management team is

responsible for coordinating the progressive

disclosure of a vulnerability.

• Classification

– Critical, Normal, Low

• Process

– From encrypted email

– From Launchpad bug entry

– Coordinated disclosure

OpenStack Community

OpenStack Projects

• DAIR

– www.canarie.ca/en/dair-program/about

– github.com/canarie/dair

• Cloud-Enabled Space Weather Platform

– www.ceswp.ca

• NeCTAR

– www.nectar.org.au

Other Technologies

• Virtual Computing Lab

• StarCluster

• Moodle

• Nagios & collectd

• Puppet

• KVM

• Python & Django

• Groovy & Grails

• Git

• Ubuntu & CentOS

• NoMachine

DevOps

• In a DevOps environment, developers and

sysadmins build relationships, processes, and tools

that allow them to better interact and ultimately

better service the customer.

• DevOps is also more than just software deployment

– it’s a whole new way of thinking about cooperation

and coordination between the people who make the

software and the people who run it.

• Infrastructure as Code

Scrum

• Agile

• Iterative (sprints)

• Focused on delivery and feedback

• Customer collaboration

Tech Radar

Confucius Sez

“Real knowledge is to know the extent of one’s ignorance.”

Questions?

• slideshare.net/cybera/openstack-security-

professionals-information-exchange

• cybera.ca

• cybera.ca/tech-radar

• cybera.ca/tech-radar/getting-started-with-cloud-

openstack-cybera

• groups.google.com/group/cybera-tech-radar