OpenStack SecurityA Primer

Me: Joshua McKentyTwitter: @jmckentyEmail: joshua@pistoncloud.com

Former Chief Architect, NASA NebulaFounding Member, OpenStackOpenStack Project Policy Board

“If you think technology can solve your security problems,

then you don’t understand the problems and you don’t

understand the technology.” – Bruce Schneier

Theatre

“Proof”

Real Security

The Three Pillars of Security

“Bonus” Security Pillar

Theatre

“Proof”Real

Security

Forensics

Real Security

Assume everything goes wrong, even impossible things.

FIPS 199 Definition: Confidentiality Integrity Availability

Defining Security

Defining Vulnerability

Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth”

AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control

Build to the OSI 7-layer model

Layer 1

Lock your doors Do your background checks Use separate physical networks for admin Network model and management

Use RFC 1918 address space when appropriate Use VLANs if necessary

Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level)

Layer 1, 2 and 3

Never assume it’s bilateral

Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor,

keys only Worst case: Host-level root login with

passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all

networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-

S)

Layer 4, 5, 6 and 7

Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill

exploits, etc.) Host-based FW within the VM (CloudPassage

"Halo") Access-control for VMs – same approaches

apply (Auth-as-a-Service)

Layer ‘V’

“Proof” and PolicyIn God We Trust – All Others, Bring Data.

Classic best practices – redundant, off-site log servers

Log aggregation and analysis / event detection

Logging-as-a-Service

Log early, log often

Make and verify your assertions (Coming soon…)

CloudAudit

Did you remember to delete his account?

Security Theatre

“Given enough hand-waving, all systems are secure.”

Crypto is useless – if keys are stored with the data

Private networks are useless – if doors aren’t locked

Certification only proves that you’re doing, what you said you were going to do. You can still be wrong.

Forget “Trust, but verify”. Just don’t trust.

Don’t get confused!

Bonus: ForensicsIt’s not an “If” – it’s a “When”

Have a chaos-monkey of compromise Can you perform forensics and remediation,

without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images,

instances

Bonus Section: Forensics

What’s in the CloudPipe?

“We can only see a short distance ahead, but we can see plenty there that needs to be done.”

– Alan Turing

The MachineAka “Sneaky Monkey”

Continuous Integration of penetration and vulnerability testing.

We’re doing “stuff” No… really.

Hardening

Outfoxing the fox Intel is working with many companies within

OpenStack, including Piston.

Trusted Execution

Questions?

Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace

De Leon, Guy with Gun #1, Guy with Gun #2…

Credits