Compliance and Security for OpenStack Deployments

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted

Compliance and Security for OpenStack Deployments

Joost Pronk van Hoogeveen Tech Lead Solaris Product Management, Director Oracle Solaris Engineering, Systems Group November 18, 2015

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


Agenda

Goal – Secure, Compliant Application Deployement

Introduction to OpenStack

Secure Installation

Compliant Runtime

1

2

3

4

4


YOUR APP

Simple, Secure Cloud Scale Deployment and Compliance From Development to Production

5

Secure deployment

Set Compliance Policy

Compliance Audit

Create your application VMs

1-step secure image creation


First – We talk about OpenStack

Oracle Confidential – Internal/Restricted/Highly Restricted 6


OpenStack Integrated into Oracle Solaris

Horizon Centralized Cloud Management

Zones and Kernel Zones

Nova / Ironic Self-Service Compute

and Bare Metal

Elastic Virtual Switch and Open vSwitch

Neutron Software Defined

Networking

ZFS File System

Cinder / Swift Cloud Scale Storage

Unified Archives

Heat / Glance Murano / Trove

Platform as a Service

Built into the Infrastructure

8

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 9

General Cloud Architecture with OpenStack Controller

OpenStack Physical Layout

Network Node

Storage Node

Storage Network

Cloud Network

Op

enSt

ack

Net

wo

rk

Compute Node

Compute Node

Compute Node

Compute Node

OpenStack Controller

Compute Node

Public Network

11/19/2015 Confidential - For Internal Use Only


OpenStack Services

Component Description Component Description

Nova Compute virtualization Glance Image management and deployment

Cinder Block storage Swift Object storage

Neutron Software defined networking Heat Application and VM orchestration

Keystone Authentication between cloud services Murano Application catalog

Horizon Web based dashboard Trove Database as a Service

Overview of Core Components

10

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

OpenStack Logical Layout



Second – We talk about installing OpenStack



Remember this?



• Secure and seamless software delivery mechanism

• Impossible to install mismatched software, including firmware

• No modifications to running OS, complete safety with BEs

• Fully integrated with Zones

14

Oracle Solaris 11 Packaging


11.2 SRU 1

Image Packaging System

• Seamless integration with IPS – Full dependency management

– Fail proof updates with rollback

• Integrated with Oracle Solaris Zones and Unified Archives for seamless lifecycle management

• Foundation for cloud update strategy – Configuration and database schemas updated

through SMF update services with full rollback

Easy and fast cloud update

11.3 Clone

15


Service Management Facility

• OpenStack services run with minimum privileges necessary, and don’t run as root

– Create users for different OpenStack services

– Leverage RBAC to enable privileged actions

• Automatic service restart from failure – Integrated with Oracle Solaris fault

management

– Full dependency checking for precise and efficient cloud start up

Secure and Highly available and reliable cloud services

SMF Services

16


OpenStack Cinder/Swift Data Management – ZFS

• ZFS is foundation for Cinder and Swift – iSCSI or FC LUN provisioning

– Leverage integrated data services including snapshots, compression and encryption

– These data services are completely transparent to the guests

• Integrated OpenStack support for ZFSSA

Production ready data management, no compromises

Virtual Environments

Cinder Volume

ISCSI LUN ISCSI LUN ISCSI LUN

17


Third – We talk about OpenStack at Runtime



• OpenStack instances on Oracle Solaris are based on Zones and Kernel Zones

– Common Criteria Evaluation includes Zones as a secure boundary

• Network and Storage lockdown

– Isolated networking (VLAN & VXLAN) and antispoofing

– Encrypted Cinder volumes

• Locking down the OS namespaces with Immutable Zones

– Both for undercloud as well as guest instances

19

Oracle Solaris Zones and Kernel Zones

Infiniband Fabric

10GbE Network

Oracle Solaris 11.3

Solaris 11.3 Zone

DATABASE

Solaris 11.2 Zone

WEBLOGIC SERVER

Virtual Router

SRU9

iSCSI 1

iSCSI N

Solaris 11.4 Zone


Immutable Zones – Security Policies

Policy Use Cases Install

Packages

Edit Config /etc

Modify SMF

Services

Write to /var

Audit/Log Location

Create Zones

none (default) Development Yes Yes Yes Yes Local/Remote Yes

flexible-

configuration

High Touch Applications

No Yes No Yes Local/Remote No

fixed-

configuration

Applications, Services,

Infrastructure No No No Yes Local/Remote No

dynamic-zone OpenStack

Nova No No No No Local/Remote Yes

strict Ephemeral

Applications No No No No Remote No

20


Apply Security Policy – How to Configure

# zonecfg -z myzone 'set file-mac-profile=fixed-configuration’

# zoneadm -z myzone boot

21


Modify Security Policy – Zone Login + Attempted Change

# zonecfg -z myzone 'set file-mac-profile=fixed-configuration’

# zoneadm -z myzone boot

# zlogin myzone

[Connected to zone 'myzone' pts/3]

myzone# rm /etc/passwd

rm: /etc/passwd: override protection 644 (yes/no)? y

rm: /etc/passwd not removed: Read-only file system

myzone# pkg install emacs

pkg install: Could not complete the operation on /var/pkg/lock:

read-only filesystem.


Modify Security Policy - Trusted Path from Global Zone

# zlogin myzone



rm: /etc/passwd: override protection 644 (yes/no)? y

rm: /etc/passwd not removed: Read-only file system

# zlogin –T myzone



myzone#

baduser$ zlogin –T myzone

zlogin: baduser is not authorized for failsafe, trusted path or non-interactive login to myzone zone.


Oracle Solaris

Immutable Guest

#

Immutable Guest

Firewall

• The undercloud locked down

– OpenStack nova-compute nodes run with dynamic-zone policy

– Allowing only Zones to be installed and run but otherwise completely locked

• The guest instances – Through OpenStack flavors as part of

nova the tenant user can choose to use any of the other policy

– Use none for development and strict for production for exmaple

24

Using Immutable Zones in OpenStack


• Next generation golden images

– Single archive for physical and virtual environments – seamless P2V and V2P

– Leverages ZFS, IPS and SMF

– Fast to develop, fast to deploy

• Secure and compliant deployment – Secure archives that can be validated

– Maintain settings in the clone image to maintain compliance level

– Develop/clone from base images


Unified Archives

Oracle Solaris 11.3

11.3 11.4 11.2.1

VM VM

11.2.1 11.2

11.4 11.3

Deploy clone archive

V2P V2V


Fourth – We talk about Compliance Checking



• Security Content Automation Protocol

• NIST standard

• express security policies with machine readable code

• XCCDF and OVAL are the main components

• OpenSCAP is open source version supported by wide community

• Reports are interchangeable on other platforms

• Oracle Solaris ships with OpenSCAP and has several policies bundled – Example is PCI-DSS for credit card

industry

– Possibility to write your own policy


General Compliance Checking - OpenSCAP


Simple Compliance Reporting

28


Compliance Benchmarks and Profiles

# compliance list -b

pci-dss solaris

# compliance list -p

Benchmarks:

pci-dss: Solaris_PCI-DSS

solaris: Baseline, Recommended

Assessments: No assessments available


Compliance Assesment

# pfexec compliance assess -b solaris -p Baseline -a baseline

Title Package integrity is verified

Rule OSC-54005

Result pass

....

# pfexec compliance list -vp

Benchmarks:

pci-dss: Solaris_PCI-DSS

Payment Card Industry Data Security Standard

solaris: Baseline, Recommended

Oracle Solaris Security Policy

Assessments:

baseline: log report.html results.xccdf.xml


OpenStack Demo

31


Checking the Undercloud

• Keep auditors happy and minimize impact on cloud admins

• OpenStack installs secure by default

• OpenSCAP helps with: – Further lockdown in the development

phase

– Ongoing validation of complaint setup

Checking the Guest Instances

• Cloud tenants can easily verify compliance of their own instances – Improves image hardening during

development phase

– Allows tenants to monitor ongoing compliance while in production

• Optionally the cloud vendor can offer compliance reports initiated from the undercloud


Compliance Checking with OpenStack


Secure and Compliant Lifecycle

• Secure multi-tenant environments – Guaranteed VM integrity

– Read-only VM lockdown

– Complete network isolation

– Secure key management

– Fine grained authentication

• Comprehensive cloud ready compliance – Fully compliant out the box

– Easy compliance tailoring

Secure end-to-end deployment and comprehensive compliance checks

Oracle Solaris 11.3

11.3 11.4 11.2.1

33


YOUR APP

Simple, Secure Cloud Scale Deployment and Compliance From Development to Production

34

Secure deployment

Set Compliance Policy

Compliance Audit

Create your application VMs

1-step secure image creation


Q&A

Oracle Corporation - Confidential 35

Compliance and Security for OpenStack Deployments

Documents

Transcript of Compliance and Security for OpenStack Deployments