OpenStack - Security Professionals Information Exchange

26
Infrastructure as a Service An Introduction to OpenStack

description

A presentation to the Security Professionals Information Exchange in Calgary on Nov. 24, 2011.

Transcript of OpenStack - Security Professionals Information Exchange

Page 1: OpenStack - Security Professionals Information Exchange

Infrastructure as a Service

An Introduction to OpenStack

Page 2: OpenStack - Security Professionals Information Exchange

Agenda

• Introductions

• Cybera

• Infrastructure as a Service

• OpenStack

• Security Landscape

• Other Technologies

• Methodologies

• Questions

Page 3: OpenStack - Security Professionals Information Exchange

Tech Adoption Curve

Page 4: OpenStack - Security Professionals Information Exchange

Amazon Web Services

Page 5: OpenStack - Security Professionals Information Exchange

OpenStack

“To produce the ubiquitous Open Source cloud

computing platform that will meet the needs of

public and private cloud providers regardless of

size, by being simple to implement and massively

scalable.”

Page 6: OpenStack - Security Professionals Information Exchange

OpenStack Object Storage

Page 7: OpenStack - Security Professionals Information Exchange

OpenStack Object Storage Architecture

Page 8: OpenStack - Security Professionals Information Exchange

OpenStack Image Service

Page 9: OpenStack - Security Professionals Information Exchange

OpenStack Compute

Page 10: OpenStack - Security Professionals Information Exchange

OpenStack Compute Architecture

Page 11: OpenStack - Security Professionals Information Exchange

OpenStack Compute Architecture

Page 12: OpenStack - Security Professionals Information Exchange

OpenStack Compute Architecture

Page 13: OpenStack - Security Professionals Information Exchange

OpenStack Security Fundamentals

• Keypairs

– Allows ssh access to

your instance

– Name

– Public key

– Private key

– 1024 bit

– “Injected” into VM

• Security Groups

– Firewall

– Name

– Port

– IP range

– Protocol

– Live outside VM

Page 14: OpenStack - Security Professionals Information Exchange

OpenStack Security Fundamentals

• HTTPS

• VLANManager mode

– VLAN and bridge for each project

– Requires a switch that supports VLAN tagging

– Private IPs that are only accessible from inside the VLAN

• Floating IPs

• VPN

– A special VPN instance (cloudpipe) needs to be created

– Certificate and key for the user to access the VPN

– Haven’t put this to use yet

Page 15: OpenStack - Security Professionals Information Exchange

Open Security Architecture: Cloud Computing Pattern

• Cloud Computing Pattern

• Controls

Page 16: OpenStack - Security Professionals Information Exchange

IaaS Security Best Practices

• AWS Security Best Practices

– Protect your data in transit

– Protect your data at rest

– Protect your AWS credentials

– Manage multiple Users and their permissions with IAM

– Secure your application

Page 17: OpenStack - Security Professionals Information Exchange

IaaS Security Best Practices

• Twenty Rules for Amazon Cloud Security

– Encrypt all network traffic.

– Use only encrypted file systems for block devices and non-

root local devices.

– Encrypt everything you put in S3 using strong encryption…

• Key Security Issues for the Amazon Cloud

– Amazon is in control of your data.

– The Amazon S3 cloud storage infrastructure is weakly

secured.

– Perimeter security in the cloud is very different…

Page 18: OpenStack - Security Professionals Information Exchange

OpenStack Vulnerability Management

• wiki.openstack.org/VulnerabilityManagement

• The OpenStack vulnerability management team is

responsible for coordinating the progressive

disclosure of a vulnerability.

• Classification

– Critical, Normal, Low

• Process

– From encrypted email

– From Launchpad bug entry

– Coordinated disclosure

Page 19: OpenStack - Security Professionals Information Exchange

OpenStack Community

Page 20: OpenStack - Security Professionals Information Exchange

OpenStack Projects

• DAIR

– www.canarie.ca/en/dair-program/about

– github.com/canarie/dair

• Cloud-Enabled Space Weather Platform

– www.ceswp.ca

• NeCTAR

– www.nectar.org.au

Page 21: OpenStack - Security Professionals Information Exchange

Other Technologies

• Virtual Computing Lab

• StarCluster

• Moodle

• Nagios & collectd

• Puppet

• KVM

• Python & Django

• Groovy & Grails

• Git

• Ubuntu & CentOS

• NoMachine

Page 22: OpenStack - Security Professionals Information Exchange

DevOps

• In a DevOps environment, developers and

sysadmins build relationships, processes, and tools

that allow them to better interact and ultimately

better service the customer.

• DevOps is also more than just software deployment

– it’s a whole new way of thinking about cooperation

and coordination between the people who make the

software and the people who run it.

• Infrastructure as Code

Page 23: OpenStack - Security Professionals Information Exchange

Scrum

• Agile

• Iterative (sprints)

• Focused on delivery and feedback

• Customer collaboration

Page 24: OpenStack - Security Professionals Information Exchange

Tech Radar

Page 25: OpenStack - Security Professionals Information Exchange

Confucius Sez

“Real knowledge is to know the extent of one’s ignorance.”

Page 26: OpenStack - Security Professionals Information Exchange

Questions?

• slideshare.net/cybera/openstack-security-

professionals-information-exchange

• cybera.ca

• cybera.ca/tech-radar

• cybera.ca/tech-radar/getting-started-with-cloud-

openstack-cybera

• groups.google.com/group/cybera-tech-radar