Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of...

42
© MIRANTIS 2013 PAGE 1 © MIRANTIS 2013 Securing for compliance Tomasz ‘Zen’ Napierała Sr. OpenStack Engineer

Transcript of Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of...

Page 1: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  1  ©  MIRANTIS  2013  

Securing for compliance

Tomasz ‘Zen’ Napierała

Sr. OpenStack Engineer

Page 2: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  2  

Tomasz Z. Napierała

Senior OpenStack Engineer @ Mirantis, Inc.

automation, web performance, compliance, security

Page 3: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  3  

Mirantis, Inc.

Largest independent vendor of OpenStack services and technology.

We operate from Mountain View, California, with remote offices in Russia, Ukraine and Poland.

60+ successful OpenStack implementations and 400+ infrastructure experts.

Page 4: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  4  

Mirantis, Inc.

Page 5: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  5  

Agenda

Page 6: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  6  

What’s included

• State of cloud compliance

• Modules overview

• Practical tips

Page 7: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  7  

What’s not included

• Securing VMs

• Guarantee

Page 8: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  8  

PCI DSS overview

Page 9: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  9  

PCI DSS recap

• Set of policies and procedures

• Optimize security of financial data processing

• Protect cardholders

• 12 general requirements

• Ongoing process

• PCI DSS version 2.0

Page 10: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  10  

State of compliance in cloud

• Not possible (pre 2012)

• Hard, not clear (pre 2013)

• PCI DSS 2.0 Cloud Computing Guide (Feb. 2013)

• Production deployments •  Rackspace

Page 11: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  11  

Where are we

Rely  on  Cloud  Service  Provider  for  HW-­‐>Hypervisor  related  compliance  

Phil  Cox,  RightScale  

12  x  

Page 12: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  12  

Whare are we

Hardware  Network  

Storage  

Hypervisor  

VM  

Page 13: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  13  

PCI DSS requirements

Source:  hSp://www.datasecureworks.com/images/Trustwave/pci-­‐requirements-­‐grid.png  

Page 14: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  14  

Projects history

•  Initially launched for customer (2 engineers)

• Moved into internal project (2+ engineers)

• Some parts reused in other projects

• 2 clients using the tools

Page 15: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  15  

Projects limitations

• RedHat / CentOS compatible • Only for private IaaS clouds • Operator centric • Technology focused • Everything in scope • No “redo” • No OpenStack patches • No firwall management

Page 16: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  16  

Ingredients

Page 17: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  17  

Elements

• Baseline hardening

• HSM PoC

• Auditing system

• Log collection system

•  Intra cluster secure communication

• Audit tools

• Documentation

Page 18: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  18  

Tools

• Fuel extension

• Puppet modules

• OpenStack patches (not included)

• OpenSCAP profiles (SRR)

• Documentation

• Checklist

Page 19: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  19  

Notes

• PCI DSS 2.0

• NIST

Page 20: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  20  

External dependencies

• LDAP / AD

• HSM (PoC available)

• Secure database + SSL

Page 21: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  21  

Puppet modules

Page 22: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  22  

aide

• File integrity checking with AIDE

Page 23: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  23  

auditd

• Auditing and logging during boot

• Auditing ang logging in runtime •  Crucial file access monitoring •  Over 80 rules •  Based on Aqueduct project https://fedorahosted.org/

aqueduct/

Page 24: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  24  

baseline

• Disabling services

• Sysctl tuning

• Disabling interactive startup

• Password for single mode

• Profile tuning

• PCI DSS required info in issue/issue.net

Page 25: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  25  

clamav

• Scanning policies

• Update policies

• Logging

Page 26: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  26  

controller_ipsec

• Mesh tunnels between controllers

Page 27: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  27  

limits

• Tuning system limits

Page 28: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  28  

Logstash (+ kibana + zeromq)

• Entire log collection infrastructure

• Predefinded OpenStack inputs + filters

Page 29: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  29  

pam

• Cracklib

• Blocking accounts

Page 30: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  30  

pwpolicy

• Password policies

Page 31: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  31  

rabbitmq

• Added SSL support

Page 32: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  32  

securetty

• Disabling root login on console

Page 33: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  33  

secureusers

• Securing internl OpenStack and systems users

Page 34: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  34  

ssh

• Secure SSH client and server configuration

Page 35: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  35  

sudo

• Protecting from shell escapes

• Disabling sudo su for root

• Secure defaults for sessions

Page 36: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  36  

What’s not included

• System images

• Glance protection

• Swift encryption

Page 37: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  37  

Tips

• HSM (PoC available)

• Compliance is not technology

• Virtualized != cloud

• Automation is a king

• Get an expert

• Get experienced QSA

• Use Quantum

Page 38: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  38  

Notes

• Buggy egress filtering in Grizzly • No default TLS support in VNC • No image scanning, shredding, etc. • User cleanup scripts • No logging framework for tracking cloud

activities? • No granular access rights • No default „zero access” policy

Page 39: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  39  

Notes on 8.5

Page 40: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  40  

Notes on 10.1

Page 41: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  41  

Roadmap

• Publication will be annouced on Mirantis blog

• Planned date: end of 2013

Page 42: Securing for compliance · ©"MIRANTIS"2013" PAGE"3 Mirantis, Inc. Largest independent vendor of OpenStack services and technology. We operate from Mountain View, California, with

©  MIRANTIS  2013   PAGE  42  

Questions?